@Override public boolean emit(JSONObject message, Context context) { VariableResolver resolver = new MapVariableResolver(message); return processor.parse(query, resolver, functionResolver, context); } }
Map<String, Object> intermediateVariables = new HashMap<>(); Set<String> outputs = new HashSet<>(outputField); MapVariableResolver resolver = new MapVariableResolver(ret, intermediateVariables, input); resolver.add(sensorConfig); StellarProcessor processor = new CachingStellarProcessor(); for(Map.Entry<String, Object> kv : fieldMappingConfig.entrySet()) {
public MapVariableResolver(Map variableMappingOne, Map... variableMapping) { if (variableMappingOne != null) { variableMappings.add(variableMappingOne); } add(variableMapping); }
public static boolean runPredicate(String rule, Map resolver, Context context) { return runPredicate(rule, new MapVariableResolver(resolver), context); }
public String getHdfsPathExtension(String sourceType, String stellarFunction, JSONObject message) { // If no function is provided, just use the sourceType directly if(stellarFunction == null || stellarFunction.trim().isEmpty()) { return sourceType; } //processor is a StellarProcessor(); VariableResolver resolver = new MapVariableResolver(message); Object objResult = stellarProcessor.parse(stellarFunction, resolver, StellarFunctions.FUNCTION_RESOLVER(), Context.EMPTY_CONTEXT()); if(objResult != null && !(objResult instanceof String)) { throw new IllegalArgumentException("Stellar Function <" + stellarFunction + "> did not return a String value. Returned: " + objResult); } return objResult == null ? "" : (String)objResult; }
/** * Execute a Stellar expression. * * @param expression The expression to execute. * @param transientState Additional state available to the expression. This most often represents * the values available to the expression from an individual message. The state * maps a variable name to a variable's value. */ private Object execute(String expression, Map<String, Object> transientState) { VariableResolver variableResolver = new MapVariableResolver(state, transientState); StellarProcessor processor = new StellarProcessor(); return processor.parse(expression, variableResolver, functionResolver, context); } }
@Override public Object initializeState(Map<String, Object> config) { if(STATE_INIT.existsIn(config)) { MapVariableResolver resolver = new MapVariableResolver(globalConfig); return transformProcessor.parse( config.get(STATE_INIT.toString()).toString() , resolver , StellarFunctions.FUNCTION_RESOLVER() , stellarContext ); } return null; }
@Override public Object mergeStates(List<? extends Object> states) { return transformProcessor.parse( stateMerge , new MapVariableResolver(new HashMap<String, Object>() {{ put(STATES_KEY, states); }}, globalConfig) , StellarFunctions.FUNCTION_RESOLVER() , stellarContext ); }
@Override public boolean test(PacketInfo input) { Map<String, Object> fields = packetToFields(input); VariableResolver resolver = new MapVariableResolver(fields); return predicateProcessor.parse(queryString, resolver, StellarFunctions.FUNCTION_RESOLVER(), Context.EMPTY_CONTEXT()); }
s.expression = statement; s.functionResolver = StellarFunctions.FUNCTION_RESOLVER(); s.variableResolver = new MapVariableResolver(variables); DescriptiveStatistics stats = Microbenchmark.run(s, warmup, numTimes); out.println("Expression: " + statement);
@Override public boolean isValid( Map<String, Object> input , Map<String, Object> validationConfig , Map<String, Object> globalConfig , Context context ) { String condition = Config.CONDITION.get(validationConfig, String.class); if(condition == null) { return true; } else { StellarPredicateProcessor processor = new StellarPredicateProcessor(); return processor.parse(condition, new MapVariableResolver(input, validationConfig, globalConfig), StellarFunctions.FUNCTION_RESOLVER(), context); } }
private JSONObject enrich(JSONObject message, String field, ConfigHandler handler) { VariableResolver resolver = new MapVariableResolver(message); return StellarAdapter.process( message , handler , field , 1000L , processor , resolver , Context.EMPTY_CONTEXT() ); }
Map<String, Object> stateMap = new LinkedHashMap<>(); stateMap.put(STATE_KEY, state.get()); MapVariableResolver resolver = new MapVariableResolver(ret, ind, globalConfig, stateMap); transform(valueTransforms, ret, resolver); transform(indicatorTransforms, ind, resolver);
/** * Execute each expression. * @param expression The expression to execute. */ private Object execute(String expression, Context context) { Object result = processor.parse( expression, new MapVariableResolver(fields), StellarFunctions.FUNCTION_RESOLVER(), context); return result; } }
@Override public JSONObject enrich(CacheKey value) { Context stellarContext = (Context) value.getConfig().getConfiguration().get(STELLAR_CONTEXT_CONF); ConfigHandler handler = getHandler.apply(value.getConfig()); Map<String, Object> globalConfig = value.getConfig().getConfiguration(); Map<String, Object> sensorConfig = value.getConfig().getEnrichment().getConfig(); if(handler == null) { _LOG.trace("Stellar ConfigHandler is null."); return new JSONObject(); } Long slowLogThreshold = null; if(_PERF_LOG.isDebugEnabled()) { slowLogThreshold = ConversionUtils.convert(globalConfig.getOrDefault(STELLAR_SLOW_LOG, STELLAR_SLOW_LOG_DEFAULT), Long.class); } //Ensure that you clone the message, because process will modify the message. If the message object is modified //then cache misses will happen because the cache will be modified. Map<String, Object> message = new HashMap<>(value.getValue(Map.class)); VariableResolver resolver = new MapVariableResolver(message, sensorConfig, globalConfig); StellarProcessor processor = new StellarProcessor(); JSONObject enriched = process(message , handler , value.getField() , slowLogThreshold , processor , resolver , stellarContext ); _LOG.trace("Stellar Enrichment Success: {}", enriched); return enriched; }
/** * Executes Stellar expressions. * @param expression The expression to execute. */ private StellarResult executeStellar(String expression) { StellarResult result; try { // execute the stellar expression VariableResolver variableResolver = new MapVariableResolver(getVariables()); Object exprResult = new StellarProcessor().parse(expression, variableResolver, functionResolver, context); result = success(exprResult); } catch (Throwable t) { result = error(t); } return result; } }
@Override public Map<String, Object> map( Map<String, Object> input , final List<String> outputFields , LinkedHashMap<String, Object> fieldMappingConfig , Context context , Map<String, Object>... sensorConfig ) { String condition = getCondition(fieldMappingConfig); StellarPredicateProcessor processor = getPredicateProcessor(condition); if(processor.parse(condition, new MapVariableResolver(input), StellarFunctions.FUNCTION_RESOLVER(), context)) { return new HashMap<String, Object>() {{ for(String outputField : outputFields) { put(outputField, null); } }}; } return null; } }
private void checkFalsey(String falseyExpr) { VariableResolver resolver = new MapVariableResolver(new HashMap<>()); Assert.assertTrue(runPredicate(String.format(" %s || true", falseyExpr), resolver)); Assert.assertFalse(runPredicate(String.format("%s && EXCEPTION('blah')", falseyExpr), resolver)); Assert.assertTrue(runPredicate(String.format("NOT(%s)", falseyExpr), resolver)); Assert.assertFalse(runPredicate(String.format("if %s then true else false", falseyExpr), resolver)); Assert.assertFalse(runPredicate(String.format("if %s then true || %s else false", falseyExpr, falseyExpr), resolver)); Assert.assertFalse(runPredicate(String.format("if %s then true || %s else false && %s", falseyExpr, falseyExpr, falseyExpr), resolver)); Assert.assertFalse(runPredicate(String.format("if %s then true || %s else false && (%s || true)", falseyExpr, falseyExpr, falseyExpr), resolver)); //make sure that nulls aren't replaced by false everywhere, only in boolean expressions. Assert.assertNull(run(String.format("MAP_GET(%s, {false : 'blah'})", falseyExpr), resolver)); }
@Test @SuppressWarnings("unchecked") public void all_fields_test() { final Map<String, Object> varMap1 = new HashMap<String, Object>(); varMap1.put("field1", "val1"); final Map<String, Object> varMap2 = new HashMap<String, Object>(); varMap2.put("field2", "val2"); VariableResolver resolver = new MapVariableResolver(varMap1, varMap2); Assert.assertTrue(runPredicate("MAP_GET('field1', _) == 'val1'", resolver)); Assert.assertTrue(runPredicate("MAP_GET('field2', _) == 'val2'", resolver)); Assert.assertTrue(runPredicate("LENGTH(_) == 2", resolver)); Map<String, Object> ret = (Map<String, Object>) run("_", resolver); Assert.assertEquals(2, ret.size()); Assert.assertEquals("val1", ret.get("field1")); Assert.assertEquals("val2", ret.get("field2")); }
/** * @param message The message being triaged. */ @Nullable @Override public ThreatScore apply(@Nullable Map message) { ThreatScore threatScore = new ThreatScore(); StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor(); StellarProcessor processor = new StellarProcessor(); VariableResolver variableResolver = new MapVariableResolver(message, sensorConfig.getConfiguration(), threatIntelConfig.getConfig()); // attempt to apply each rule to the threat for(RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) { if(predicateProcessor.parse(rule.getRule(), variableResolver, functionResolver, context)) { // add the rule's score to the overall threat score String reason = execute(rule.getReason(), processor, variableResolver, String.class); Double score = execute(rule.getScoreExpression(), processor, variableResolver, Double.class); threatScore.addRuleScore(new RuleScore(rule, reason, score)); } } // calculate the aggregate threat score List<Number> ruleScores = new ArrayList<>(); for(RuleScore ruleScore: threatScore.getRuleScores()) { ruleScores.add(ruleScore.getScore()); } Aggregators aggregators = threatTriageConfig.getAggregator(); Double aggregateScore = aggregators.aggregate(ruleScores, threatTriageConfig.getAggregationConfig()); threatScore.setScore(aggregateScore); return threatScore; }