feat: ESQL query validation against Elastic cluster (#4955)

* Add remote ESQL validation --------- Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co> Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2025-10-15 21:17:07 +02:00
parent 00ed573623
commit c7246313f7
22 changed files with 1513 additions and 180 deletions
@@ -19,6 +19,7 @@ from requests import HTTPError
 from .config import load_current_package_version
 from .misc import ClientError, get_elasticsearch_client, get_kibana_client, getdefault
 from .rule import TOMLRule, TOMLRuleContents
+from .rule_validators import ESQLValidator
 from .schemas import definitions


@@ -177,25 +178,40 @@ class RemoteValidator(RemoteConnector):

        return responses  # type: ignore[reportUnknownVariableType]

-    def validate_esql(self, contents: TOMLRuleContents) -> dict[str, Any]:
+    def validate_esql(self, contents: TOMLRuleContents, index_replacement: bool = False) -> dict[str, Any]:
+        """Validate query for "esql" rule types. Optionally replace indices and use ESQLValidator."""
        query = contents.data.query  # type: ignore[reportAttributeAccessIssue]
        rule_id = contents.data.rule_id
-        headers = {"accept": "application/json", "content-type": "application/json"}
-        body = {"query": f"{query} | LIMIT 0"}
        if not self.es_client:
            raise ValueError("No ES client found")
-        try:
-            response = self.es_client.perform_request(
-                "POST",
-                "/_query",
-                headers=headers,
-                params={"pretty": True},
-                body=body,
-            )
-        except Exception as exc:
-            if isinstance(exc, elasticsearch.BadRequestError):
-                raise ValidationError(f"ES|QL query failed: {exc} for rule: {rule_id}, query: \n{query}") from exc
-            raise Exception(f"ES|QL query failed for rule: {rule_id}, query: \n{query}") from exc  # noqa: TRY002
+        if not self.kibana_client:
+            raise ValueError("No Kibana client found")
+
+        if index_replacement:
+            try:
+                validator = ESQLValidator(contents.data.query)  # type: ignore[reportIncompatibleMethodOverride]
+                response = validator.remote_validate_rule_contents(self.kibana_client, self.es_client, contents)
+            except Exception as exc:
+                if isinstance(exc, elasticsearch.BadRequestError):
+                    raise ValidationError(f"ES|QL query failed: {exc} for rule: {rule_id}, query: \n{query}") from exc
+                raise Exception(f"ES|QL query failed for rule: {rule_id}, query: \n{query}") from exc  # noqa: TRY002
+        else:
+            headers = {"accept": "application/json", "content-type": "application/json"}
+            body = {"query": f"{query} | LIMIT 0"}
+            if not self.es_client:
+                raise ValueError("No ES client found")
+            try:
+                response = self.es_client.perform_request(
+                    "POST",
+                    "/_query",
+                    headers=headers,
+                    params={"pretty": True},
+                    body=body,
+                )
+            except Exception as exc:
+                if isinstance(exc, elasticsearch.BadRequestError):
+                    raise ValidationError(f"ES|QL query failed: {exc} for rule: {rule_id}, query: \n{query}") from exc
+                raise Exception(f"ES|QL query failed for rule: {rule_id}, query: \n{query}") from exc  # noqa: TRY002

        return response.body