remove query pattern

alexvolha · alexvolha · commit a0f5f0662881 · 2024-06-19T09:13:10.000+03:00
diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py
@@ -200,7 +200,6 @@ class PlatformQueryRender(QueryRender):
 
     field_value_map = BaseQueryFieldValue(or_token=or_token)
 
-    query_pattern = "{prefix}{query}{functions}"
     raw_log_field_pattern_map: ClassVar[dict[str, str]] = None
 
     def __init__(self):
@@ -211,12 +210,6 @@ def __init__(self):
             LogicalOperatorType.NOT: f" {self.not_token} ",
         }
 
-    def query_concatenation(self, prefix: str, search: str, functions: str) -> str:
-        prefix = prefix if prefix else ""
-        search = f" {search}" if search else ""
-        functions = f" {functions}" if functions else ""
-        return self.query_pattern.format(prefix=prefix, query=search, functions=functions).strip()
-
     def generate_prefix(self, log_source_signature: LogSourceSignature, functions_prefix: str = "") -> str:  # noqa: ARG002
         if str(log_source_signature):
             return f"{log_source_signature!s} {self.and_token}"
@@ -287,6 +280,10 @@ def wrap_query_with_meta_info(self, meta_info: MetaInfoContainer, query: str) ->
             query = f"{query}\n\n{query_meta_info}"
         return query
 
+    @staticmethod
+    def _finalize_search_query(query: str) -> str:
+        return query
+
     def finalize_query(
         self,
         prefix: str,
@@ -298,8 +295,8 @@ def finalize_query(
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
-        query = self.query_pattern.format(prefix=prefix, query=query, functions=functions).strip()
-
+        parts = filter(lambda s: bool(s), map(str.strip, [prefix, self._finalize_search_query(query), functions]))
+        query = " ".join(parts)
         query = self.wrap_query_with_meta_info(meta_info=meta_info, query=query)
         if not_supported_functions:
             rendered_not_supported = self.render_not_supported_functions(not_supported_functions)
@@ -342,7 +339,7 @@ def _generate_from_raw_query_container(self, query_container: RawQueryContainer)
 
     def process_raw_log_field(self, field: str, field_type: str) -> Optional[str]:
         if raw_log_field_pattern := self.raw_log_field_pattern_map.get(field_type):
-            return raw_log_field_pattern.pattern.format(field=field)
+            return raw_log_field_pattern.format(field=field)
 
     def process_raw_log_field_prefix(self, field: str, source_mapping: SourceMapping) -> Optional[list]:
         if isinstance(field, list):
diff --git a/uncoder-core/app/translator/platforms/athena/renders/athena.py b/uncoder-core/app/translator/platforms/athena/renders/athena.py
@@ -36,6 +36,9 @@ class AthenaQueryRender(SqlQueryRender):
     or_token = "OR"
 
     field_value_map = AthenaFieldValue(or_token=or_token)
-    query_pattern = "{prefix} WHERE{query}{functions}"
     comment_symbol = "--"
     is_single_line_comment = True
+
+    @staticmethod
+    def _finalize_search_query(query: str) -> str:
+        return f"WHERE {query}" if query else ""
diff --git a/uncoder-core/app/translator/platforms/base/aql/renders/aql.py b/uncoder-core/app/translator/platforms/base/aql/renders/aql.py
@@ -128,7 +128,6 @@ class AQLQueryRender(PlatformQueryRender):
     not_token = "NOT"
 
     field_value_map = AQLFieldValue(or_token=or_token)
-    query_pattern = "{prefix} AND{query}{functions}"
 
     def generate_prefix(self, log_source_signature: AQLLogSourceSignature, functions_prefix: str = "") -> str:  # noqa: ARG002
         table = str(log_source_signature)
@@ -137,3 +136,7 @@ def generate_prefix(self, log_source_signature: AQLLogSourceSignature, functions
 
     def wrap_with_comment(self, value: str) -> str:
         return f"/* {value} */"
+
+    @staticmethod
+    def _finalize_search_query(query: str) -> str:
+        return f"AND {query}" if query else ""
diff --git a/uncoder-core/app/translator/platforms/base/lucene/renders/lucene.py b/uncoder-core/app/translator/platforms/base/lucene/renders/lucene.py
@@ -107,8 +107,6 @@ class LuceneQueryRender(PlatformQueryRender):
     and_token = "AND"
     not_token = "NOT"
 
-    query_pattern = "{query}{functions}"
-
     comment_symbol = "//"
     is_single_line_comment = True
 
diff --git a/uncoder-core/app/translator/platforms/base/spl/renders/spl.py b/uncoder-core/app/translator/platforms/base/spl/renders/spl.py
@@ -79,7 +79,6 @@ class SplQueryRender(PlatformQueryRender):
     and_token = "AND"
     not_token = "NOT"
 
-    query_pattern = "{prefix} {query} {functions}"
     comment_symbol = "```"
 
     def wrap_with_comment(self, value: str) -> str:
diff --git a/uncoder-core/app/translator/platforms/base/sql/renders/sql.py b/uncoder-core/app/translator/platforms/base/sql/renders/sql.py
@@ -77,10 +77,13 @@ class SqlQueryRender(PlatformQueryRender):
     and_token = "AND"
     not_token = "NOT"
 
-    query_pattern = "{prefix} WHERE {query} {functions}"
     comment_symbol = "--"
     is_single_line_comment = True
 
     def generate_prefix(self, log_source_signature: LogSourceSignature, functions_prefix: str = "") -> str:  # noqa: ARG002
         table = str(log_source_signature) if str(log_source_signature) else "eventlog"
         return f"SELECT * FROM {table}"
+
+    @staticmethod
+    def _finalize_search_query(query: str) -> str:
+        return f"WHERE {query}" if query else ""
diff --git a/uncoder-core/app/translator/platforms/chronicle/renders/chronicle.py b/uncoder-core/app/translator/platforms/chronicle/renders/chronicle.py
@@ -110,6 +110,5 @@ class ChronicleQueryRender(PlatformQueryRender):
     not_token = "not"
 
     field_value_map = ChronicleFieldValue(or_token=or_token)
-    query_pattern = "{query} {functions}"
     comment_symbol = "//"
     is_single_line_comment = True
diff --git a/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike.py b/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike.py
@@ -32,7 +32,6 @@ class CrowdStrikeFieldValue(SplFieldValue):
 @render_manager.register
 class CrowdStrikeQueryRender(SplQueryRender):
     details: PlatformDetails = crowdstrike_query_details
-    query_pattern = "{prefix} {query} {functions}"
     mappings: CrowdstrikeMappings = crowdstrike_mappings
     platform_functions: CrowdStrikeFunctions = None
 
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py
@@ -51,7 +51,6 @@ class ElasticSearchRuleRender(ElasticSearchQueryRender):
     not_token = "NOT"
 
     field_value_map = ElasticSearchRuleFieldValue(or_token=or_token)
-    query_pattern = "{prefix} {query} {functions}"
 
     def __create_mitre_threat(self, mitre_attack: dict) -> Union[list, list[dict]]:
         if not mitre_attack.get("techniques"):
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/elast_alert.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/elast_alert.py
@@ -50,7 +50,6 @@ class ElastAlertRuleRender(ElasticSearchQueryRender):
     not_token = "NOT"
 
     field_value_map = ElasticAlertRuleFieldValue(or_token=or_token)
-    query_pattern = "{prefix} {query} {functions}"
 
     def finalize_query(
         self,
diff --git a/uncoder-core/app/translator/platforms/forti_siem/renders/forti_siem_rule.py b/uncoder-core/app/translator/platforms/forti_siem/renders/forti_siem_rule.py
@@ -193,7 +193,6 @@ class FortiSiemRuleRender(PlatformQueryRender):
     not_token = None
 
     group_token = "(%s)"
-    query_pattern = "{prefix} {query}"
 
     field_value_map = FortiSiemFieldValue(or_token=or_token)
 
@@ -304,15 +303,15 @@ def finalize_query(
         self,
         prefix: str,
         query: str,
-        functions: str,  # noqa: ARG002
+        functions: str,
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,
         fields: Optional[set[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
-        query = self.query_pattern.format(prefix=prefix, query=query).strip()
+        query = super().finalize_query(prefix=prefix, query=query, functions=functions)
         rule = FORTI_SIEM_RULE.replace("<header_placeholder>", self.generate_rule_header(meta_info))
         title = meta_info.title or _AUTOGENERATED_TEMPLATE
         rule = rule.replace("<name_placeholder>", self.generate_rule_name(title))
diff --git a/uncoder-core/app/translator/platforms/hunters/renders/hunters.py b/uncoder-core/app/translator/platforms/hunters/renders/hunters.py
@@ -36,4 +36,7 @@ class HuntersQueryRender(SqlQueryRender):
     or_token = "OR"
 
     field_value_map = HuntersFieldValue(or_token=or_token)
-    query_pattern = "{prefix} WHERE {query} {functions}"
+
+    @staticmethod
+    def _finalize_search_query(query: str) -> str:
+        return f"WHERE {query}" if query else ""
diff --git a/uncoder-core/app/translator/platforms/logrhythm_axon/renders/logrhythm_axon_query.py b/uncoder-core/app/translator/platforms/logrhythm_axon/renders/logrhythm_axon_query.py
@@ -204,13 +204,16 @@ class LogRhythmAxonQueryRender(PlatformQueryRender):
     not_token = "NOT"
 
     field_value_map = LogRhythmAxonFieldValue(or_token=or_token)
-    query_pattern = "{prefix} AND {query}"
 
     mappings: LogRhythmAxonMappings = logrhythm_axon_mappings
     comment_symbol = "//"
     is_single_line_comment = True
     is_strict_mapping = True
 
+    @staticmethod
+    def _finalize_search_query(query: str) -> str:
+        return f"AND {query}" if query else ""
+
     def generate_prefix(self, log_source_signature: LogSourceSignature, functions_prefix: str = "") -> str:  # noqa: ARG002
         return str(log_source_signature)
 
diff --git a/uncoder-core/app/translator/platforms/logscale/renders/logscale.py b/uncoder-core/app/translator/platforms/logscale/renders/logscale.py
@@ -103,7 +103,6 @@ class LogScaleQueryRender(PlatformQueryRender):
     not_token = "not"
 
     field_value_map = LogScaleFieldValue(or_token=or_token)
-    query_pattern = "{prefix} {query} {functions}"
 
     def init_platform_functions(self) -> None:
         self.platform_functions = log_scale_functions
@@ -123,10 +122,7 @@ def finalize_query(
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
-        if prefix:
-            query = self.query_pattern.format(prefix=prefix, query=query, functions=functions)
-        else:
-            query = f"{query} {functions.lstrip()}"
+        query = super().finalize_query(prefix=prefix, query=query, functions=functions)
         query = self.wrap_query_with_meta_info(meta_info=meta_info, query=query)
         if not_supported_functions:
             rendered_not_supported = self.render_not_supported_functions(not_supported_functions)
diff --git a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel.py b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel.py
@@ -129,7 +129,6 @@ class MicrosoftSentinelQueryRender(PlatformQueryRender):
     not_token = "not"
 
     field_value_map = MicrosoftSentinelFieldValue(or_token=or_token)
-    query_pattern = "{prefix} | where {query}{functions}"
 
     mappings: MicrosoftSentinelMappings = microsoft_sentinel_mappings
     comment_symbol = "//"
@@ -141,3 +140,7 @@ def init_platform_functions(self) -> None:
 
     def generate_prefix(self, log_source_signature: LogSourceSignature, functions_prefix: str = "") -> str:  # noqa: ARG002
         return str(log_source_signature)
+
+    @staticmethod
+    def _finalize_search_query(query: str) -> str:
+        return f"| where {query}" if query else ""
diff --git a/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_rule.py b/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_rule.py
@@ -50,7 +50,6 @@ class OpenSearchRuleRender(OpenSearchQueryRender):
     not_token = "NOT"
 
     field_value_map = OpenSearchRuleFieldValue(or_token=or_token)
-    query_pattern = "{prefix} {query} {functions}"
 
     def __init__(self):
         super().__init__()
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -149,7 +149,6 @@ class CortexXQLQueryRender(PlatformQueryRender):
     not_token = "not"
 
     field_value_map = CortexXQLFieldValue(or_token=or_token)
-    query_pattern = "{prefix} | filter {query} {functions}"
     comment_symbol = "//"
     is_single_line_comment = False
 
@@ -172,3 +171,7 @@ def process_raw_log_field(self, field: str, field_type: str) -> Optional[str]:
     def generate_prefix(self, log_source_signature: CortexXQLLogSourceSignature, functions_prefix: str = "") -> str:
         functions_prefix = f"{functions_prefix} | " if functions_prefix else ""
         return f"{functions_prefix}{log_source_signature}"
+
+    @staticmethod
+    def _finalize_search_query(query: str) -> str:
+        return f"| filter {query}" if query else ""
