From 582a842e322d2ca64b0e4af4c88021c287203724 Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Thu, 16 Sep 2021 09:25:26 -0800
Subject: [PATCH] [KQL] Add support for date fields in parser (#1487)

* [KQL] Add support for date fields in parser

* add test for parsing date value
---
 kql/__init__.py            | 2 +-
 kql/parser.py              | 3 +++
 tests/kuery/test_parser.py | 9 +++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/kql/__init__.py b/kql/__init__.py
index e0889d40d..59c73243a 100644
--- a/kql/__init__.py
+++ b/kql/__init__.py
@@ -13,7 +13,7 @@ from .evaluator import FilterGenerator
 from .kql2eql import KqlToEQL
 from .parser import lark_parse, KqlParser
 
-__version__ = '0.1.4'
+__version__ = '0.1.5'
 __all__ = (
     "ast",
     "from_eql",
diff --git a/kql/parser.py b/kql/parser.py
index ac719cb7e..bdf66ae05 100644
--- a/kql/parser.py
+++ b/kql/parser.py
@@ -224,6 +224,9 @@ class BaseKqlParser(Interpreter):
             elif field_type_family == "ip" and value_type == "keyword":
                 if "::" in python_value or self.ip_regex.match(python_value) is not None:
                     return python_value
+            elif field_type_family == 'date' and value_type in STRING_FIELDS:
+                # this will not validate datemath syntax
+                return python_value
 
             raise self.error(value_tree, "Value doesn't match {field}'s type: {type}",
                              field=field_name, type=field_type)
diff --git a/tests/kuery/test_parser.py b/tests/kuery/test_parser.py
index e2b445a77..444d55f1b 100644
--- a/tests/kuery/test_parser.py
+++ b/tests/kuery/test_parser.py
@@ -8,6 +8,7 @@ import kql
 from kql.ast import (
     Field,
     FieldComparison,
+    FieldRange,
     String,
     Number,
     Exists,
@@ -72,7 +73,15 @@ class ParserTests(unittest.TestCase):
     def test_type_family_success(self):
         kql.parse("abc : 1.2345", schema={"abc": "scaled_float"})
         kql.parse("abc : hello", schema={"abc": "annotated-text"})
+        kql.parse("abc >= now-30d", schema={"abc": "date_nanos"})
 
     def test_type_family_fail(self):
         with self.assertRaises(kql.KqlParseError):
             kql.parse('foo : "hello world"', schema={"foo": "scaled_float"})
+
+    def test_date(self):
+        schema = {"@time": "date"}
+        self.validate('@time <= now-10d', FieldRange(Field("@time"), "<=", String("now-10d")), schema=schema)
+
+        with self.assertRaises(kql.KqlParseError):
+            kql.parse("@time > 5", schema=schema)