From 59b6a4e2736557e1a9900f3122687365849450a7 Mon Sep 17 00:00:00 2001
From: Chase Engelbrecht <engechas@amazon.com>
Date: Mon, 22 Apr 2024 16:15:45 -0700
Subject: [PATCH 1/5] Add models and interfaces for rule engine

Signed-off-by: Chase Engelbrecht <engechas@amazon.com>
---
 .../ruleengine/RuleEngine.java                |  4 +++
 .../ruleengine/evaluator/RuleEvaluator.java   |  9 ++++++
 .../evaluator/StatelessRuleEvaluator.java     | 13 ++++++++
 .../ruleengine/model/DataType.java            | 23 ++++++++++++++
 .../ruleengine/model/Match.java               | 20 +++++++++++++
 .../ruleengine/parser/RuleParser.java         |  7 +++++
 .../ruleengine/provider/RuleData.java         | 30 +++++++++++++++++++
 .../ruleengine/provider/RuleProvider.java     |  7 +++++
 .../ruleengine/rules/ParsedRules.java         | 21 +++++++++++++
 .../ruleengine/rules/Rule.java                | 15 ++++++++++
 .../ruleengine/rules/StatefulRule.java        | 20 +++++++++++++
 .../ruleengine/rules/StatelessRule.java       | 15 ++++++++++
 12 files changed, 184 insertions(+)
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java

diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
new file mode 100644
index 000000000..8df044c58
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
@@ -0,0 +1,4 @@
+package org.opensearch.securityanalytics.ruleengine;
+
+public class RuleEngine {
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
new file mode 100644
index 000000000..a9f6298e5
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
@@ -0,0 +1,9 @@
+package org.opensearch.securityanalytics.ruleengine.evaluator;
+
+import org.opensearch.securityanalytics.ruleengine.model.Match;
+
+import java.util.List;
+
+public interface RuleEvaluator<T> {
+    List<Match> evaluate(List<T> data);
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
new file mode 100644
index 000000000..c8bf8839b
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
@@ -0,0 +1,13 @@
+package org.opensearch.securityanalytics.ruleengine.evaluator;
+
+import org.opensearch.securityanalytics.ruleengine.model.DataType;
+import org.opensearch.securityanalytics.ruleengine.model.Match;
+
+import java.util.List;
+
+public class StatelessRuleEvaluator implements RuleEvaluator<DataType> {
+    @Override
+    public List<Match> evaluate(final List<DataType> data) {
+        return null;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
new file mode 100644
index 000000000..99919c1b6
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
@@ -0,0 +1,23 @@
+package org.opensearch.securityanalytics.ruleengine.model;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public abstract class DataType {
+    private final Map<String, String> dataTypeMetadata;
+
+    public DataType() {
+        this.dataTypeMetadata = new HashMap<>();
+    }
+
+    abstract Object getValue(String fieldName);
+    abstract String getTimeFieldName();
+
+    public void putDataTypeMetadata(final String key, final String value) {
+        dataTypeMetadata.put(key, value);
+    }
+
+    public Map<String, String> getDataTypeMetadata() {
+        return dataTypeMetadata;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
new file mode 100644
index 000000000..9227bc46e
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
@@ -0,0 +1,20 @@
+package org.opensearch.securityanalytics.ruleengine.model;
+
+import org.opensearch.securityanalytics.ruleengine.rules.Rule;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class Match {
+    private final DataType datum;
+    private final List<Rule> rules;
+
+    public Match(final DataType datum) {
+        this.datum = datum;
+        this.rules = new ArrayList<>();
+    }
+
+    public void addRule(final Rule rule) {
+        rules.add(rule);
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
new file mode 100644
index 000000000..ea8661d2a
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
@@ -0,0 +1,7 @@
+package org.opensearch.securityanalytics.ruleengine.parser;
+
+import org.opensearch.securityanalytics.ruleengine.rules.ParsedRules;
+
+public interface RuleParser {
+    ParsedRules parseRules();
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
new file mode 100644
index 000000000..b9f381256
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
@@ -0,0 +1,30 @@
+package org.opensearch.securityanalytics.ruleengine.provider;
+
+import org.opensearch.securityanalytics.ruleengine.model.DataType;
+
+import java.util.Map;
+import java.util.function.Predicate;
+
+public class RuleData {
+    private final String ruleAsString;
+    private final Predicate<DataType> evaluationCondition;
+    private final Map<String, Object> metadata;
+
+    public RuleData(final String ruleAsString, final Predicate<DataType> evaluationCondition, final Map<String, Object> metadata) {
+        this.ruleAsString = ruleAsString;
+        this.evaluationCondition = evaluationCondition;
+        this.metadata = metadata;
+    }
+
+    public String getRuleAsString() {
+        return ruleAsString;
+    }
+
+    public Predicate<DataType> getEvaluationCondition() {
+        return evaluationCondition;
+    }
+
+    public Map<String, Object> getMetadata() {
+        return metadata;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
new file mode 100644
index 000000000..3d3d68921
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
@@ -0,0 +1,7 @@
+package org.opensearch.securityanalytics.ruleengine.provider;
+
+import java.util.List;
+
+public interface RuleProvider {
+    List<RuleData> getRuleData();
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
new file mode 100644
index 000000000..859134bb8
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
@@ -0,0 +1,21 @@
+package org.opensearch.securityanalytics.ruleengine.rules;
+
+import java.util.List;
+
+public class ParsedRules {
+    private final List<StatelessRule> statelessRules;
+    private final List<StatefulRule> statefulRules;
+
+    public ParsedRules(final List<StatelessRule> statelessRules, final List<StatefulRule> statefulRules) {
+        this.statelessRules = statelessRules;
+        this.statefulRules = statefulRules;
+    }
+
+    public List<StatelessRule> getStatelessRules() {
+        return statelessRules;
+    }
+
+    public List<StatefulRule> getStatefulRules() {
+        return statefulRules;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
new file mode 100644
index 000000000..43670129c
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
@@ -0,0 +1,15 @@
+package org.opensearch.securityanalytics.ruleengine.rules;
+
+import java.util.function.Predicate;
+
+public abstract class Rule<T, U> {
+    private final String id;
+    private final Predicate<T> evaluationCondition;
+    private final Predicate<U> ruleCondition;
+
+    public Rule(final String id, final Predicate<T> evaluationCondition, final Predicate<U> ruleCondition) {
+        this.id = id;
+        this.evaluationCondition = evaluationCondition;
+        this.ruleCondition = ruleCondition;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
new file mode 100644
index 000000000..86ae8b37b
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
@@ -0,0 +1,20 @@
+package org.opensearch.securityanalytics.ruleengine.rules;
+
+import org.opensearch.securityanalytics.ruleengine.model.Match;
+
+import java.time.Duration;
+import java.util.List;
+import java.util.function.Predicate;
+
+public class StatefulRule extends Rule<Match, List<Match>> {
+    private final Duration timeframe;
+    private final List<String> filterFields;
+
+    public StatefulRule(final String id, final Predicate<Match> evaluationCondition,
+                        final Predicate<List<Match>> ruleCondition, final Duration timeframe,
+                        final List<String> filterFields) {
+        super(id, evaluationCondition, ruleCondition);
+        this.timeframe = timeframe;
+        this.filterFields = filterFields;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java
new file mode 100644
index 000000000..437800520
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java
@@ -0,0 +1,15 @@
+package org.opensearch.securityanalytics.ruleengine.rules;
+
+import org.opensearch.securityanalytics.ruleengine.model.DataType;
+
+import java.util.function.Predicate;
+
+public class StatelessRule extends Rule<DataType, DataType> {
+    private final boolean isStatefulCondition;
+
+    public StatelessRule(final String id, final Predicate<DataType> evaluationCondition,
+                         final Predicate<DataType> ruleCondition, final boolean isStatefulCondition) {
+        super(id, evaluationCondition, ruleCondition);
+        this.isStatefulCondition = isStatefulCondition;
+    }
+}

From 9dbc8ca292d4c1a8fbd499f2e5fb49b31ad3cefa Mon Sep 17 00:00:00 2001
From: Chase Engelbrecht <engechas@amazon.com>
Date: Mon, 22 Apr 2024 16:21:15 -0700
Subject: [PATCH 2/5] Add javadoc for interfaces

Signed-off-by: Chase Engelbrecht <engechas@amazon.com>
---
 .../ruleengine/evaluator/RuleEvaluator.java              | 6 ++++++
 .../securityanalytics/ruleengine/parser/RuleParser.java  | 9 ++++++++-
 .../ruleengine/provider/RuleProvider.java                | 5 +++++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
index a9f6298e5..392441c12 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
@@ -5,5 +5,11 @@
 import java.util.List;
 
 public interface RuleEvaluator<T> {
+    /**
+     * A method to evaluate the rules against a set of incoming data.
+     *
+     * @param data - the data to be evaluated against the rules
+     * @return - A list of Matches for positive rule evaluations against the incoming data
+     */
     List<Match> evaluate(List<T> data);
 }
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
index ea8661d2a..cee9a49a2 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
@@ -1,7 +1,14 @@
 package org.opensearch.securityanalytics.ruleengine.parser;
 
+import org.opensearch.securityanalytics.ruleengine.provider.RuleData;
 import org.opensearch.securityanalytics.ruleengine.rules.ParsedRules;
 
 public interface RuleParser {
-    ParsedRules parseRules();
+    /**
+     * A method to parse the information of a RuleData object into the internal representation of a rule used for evaluation.
+     *
+     * @param ruleData - the information representing one or more rules to be parsed
+     * @return - A ParsedRules object containing the internal representation of the rules that were parsed
+     */
+    ParsedRules parseRules(RuleData ruleData);
 }
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
index 3d3d68921..1c93f663e 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
@@ -3,5 +3,10 @@
 import java.util.List;
 
 public interface RuleProvider {
+    /**
+     * A method to fetch RuleData from an external source
+     *
+     * @return - A list of RuleData used to parse the rules into the internal representation used for evaluation
+     */
     List<RuleData> getRuleData();
 }

From 149c7e882a2ae8ca2074cfe013d0c37cf0ff0280 Mon Sep 17 00:00:00 2001
From: Chase Engelbrecht <engechas@amazon.com>
Date: Mon, 22 Apr 2024 16:41:57 -0700
Subject: [PATCH 3/5] Add license headers

Signed-off-by: Chase Engelbrecht <engechas@amazon.com>
---
 .../opensearch/securityanalytics/ruleengine/RuleEngine.java   | 4 ++++
 .../securityanalytics/ruleengine/evaluator/RuleEvaluator.java | 4 ++++
 .../ruleengine/evaluator/StatelessRuleEvaluator.java          | 4 ++++
 .../securityanalytics/ruleengine/model/DataType.java          | 4 ++++
 .../opensearch/securityanalytics/ruleengine/model/Match.java  | 4 ++++
 .../securityanalytics/ruleengine/parser/RuleParser.java       | 4 ++++
 .../securityanalytics/ruleengine/provider/RuleData.java       | 4 ++++
 .../securityanalytics/ruleengine/provider/RuleProvider.java   | 4 ++++
 .../securityanalytics/ruleengine/rules/ParsedRules.java       | 4 ++++
 .../opensearch/securityanalytics/ruleengine/rules/Rule.java   | 4 ++++
 .../securityanalytics/ruleengine/rules/StatefulRule.java      | 4 ++++
 .../securityanalytics/ruleengine/rules/StatelessRule.java     | 4 ++++
 12 files changed, 48 insertions(+)

diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
index 8df044c58..f1fb6fe78 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine;
 
 public class RuleEngine {
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
index 392441c12..e126f0ea1 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.evaluator;
 
 import org.opensearch.securityanalytics.ruleengine.model.Match;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
index c8bf8839b..8a3b2d846 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.evaluator;
 
 import org.opensearch.securityanalytics.ruleengine.model.DataType;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
index 99919c1b6..faa9c812d 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.model;
 
 import java.util.HashMap;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
index 9227bc46e..ff6eff2c2 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.model;
 
 import org.opensearch.securityanalytics.ruleengine.rules.Rule;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
index cee9a49a2..3cde5a739 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.parser;
 
 import org.opensearch.securityanalytics.ruleengine.provider.RuleData;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
index b9f381256..253db104b 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.provider;
 
 import org.opensearch.securityanalytics.ruleengine.model.DataType;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
index 1c93f663e..fa5f60788 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.provider;
 
 import java.util.List;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
index 859134bb8..c71b7862b 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.rules;
 
 import java.util.List;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
index 43670129c..6f7cbe5fe 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.rules;
 
 import java.util.function.Predicate;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
index 86ae8b37b..7ae1c6302 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.rules;
 
 import org.opensearch.securityanalytics.ruleengine.model.Match;
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java
index 437800520..492933459 100644
--- a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java
@@ -1,3 +1,7 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
 package org.opensearch.securityanalytics.ruleengine.rules;
 
 import org.opensearch.securityanalytics.ruleengine.model.DataType;

From 9303562c3007aaa7dd812628ab2be238948f322c Mon Sep 17 00:00:00 2001
From: Chase Engelbrecht <engechas@amazon.com>
Date: Tue, 23 Apr 2024 13:12:56 -0700
Subject: [PATCH 4/5] Move rule engine to its own gradle project

Signed-off-by: Chase Engelbrecht <engechas@amazon.com>
---
 rule-engine/build.gradle                       | 18 ++++++++++++++++++
 .../ruleengine/RuleEngine.java                 |  0
 .../ruleengine/evaluator/RuleEvaluator.java    |  0
 .../evaluator/StatelessRuleEvaluator.java      |  0
 .../ruleengine/model/DataType.java             |  0
 .../ruleengine/model/Match.java                |  0
 .../ruleengine/parser/RuleParser.java          |  0
 .../ruleengine/provider/RuleData.java          |  0
 .../ruleengine/provider/RuleProvider.java      |  0
 .../ruleengine/rules/ParsedRules.java          |  0
 .../ruleengine/rules/Rule.java                 |  0
 .../ruleengine/rules/StatefulRule.java         |  0
 .../ruleengine/rules/StatelessRule.java        |  0
 13 files changed, 18 insertions(+)
 create mode 100644 rule-engine/build.gradle
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/RuleEngine.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/evaluator/RuleEvaluator.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/evaluator/StatelessRuleEvaluator.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/model/DataType.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/model/Match.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/parser/RuleParser.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/provider/RuleData.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/provider/RuleProvider.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/rules/ParsedRules.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/rules/Rule.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/rules/StatefulRule.java (100%)
 rename {src/main/java/org/opensearch/securityanalytics => rule-engine/src/main/java/org.opensearch.securityanalytics}/ruleengine/rules/StatelessRule.java (100%)

diff --git a/rule-engine/build.gradle b/rule-engine/build.gradle
new file mode 100644
index 000000000..40b3df78c
--- /dev/null
+++ b/rule-engine/build.gradle
@@ -0,0 +1,18 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+apply plugin: 'java'
+apply plugin: 'jacoco'
+
+repositories {
+    mavenLocal()
+    mavenCentral()
+    maven { url "https://aws.oss.sonatype.org/content/repositories/snapshots" }
+}
+
+dependencies {
+    implementation rootProject
+    implementation "com.github.seancfoley:ipaddress:5.4.1"
+}
\ No newline at end of file
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/RuleEngine.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/RuleEngine.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/evaluator/RuleEvaluator.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/evaluator/RuleEvaluator.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/model/DataType.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/model/DataType.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/model/Match.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/model/Match.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/parser/RuleParser.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/parser/RuleParser.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/provider/RuleData.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/provider/RuleData.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/provider/RuleProvider.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/provider/RuleProvider.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/ParsedRules.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/ParsedRules.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/Rule.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/Rule.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/StatefulRule.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/StatefulRule.java
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java b/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/StatelessRule.java
similarity index 100%
rename from src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java
rename to rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/StatelessRule.java

From 730d5633a6369cff4eae6e05da29336c61843ede Mon Sep 17 00:00:00 2001
From: Chase Engelbrecht <engechas@amazon.com>
Date: Wed, 24 Apr 2024 19:10:33 -0700
Subject: [PATCH 5/5] Fix directory structure

Signed-off-by: Chase Engelbrecht <engechas@amazon.com>
---
 .../securityanalytics}/ruleengine/RuleEngine.java           | 0
 .../ruleengine/evaluator/RuleEvaluator.java                 | 0
 .../ruleengine/evaluator/StatelessRuleEvaluator.java        | 0
 .../securityanalytics}/ruleengine/model/DataType.java       | 4 ++--
 .../securityanalytics}/ruleengine/model/Match.java          | 0
 .../securityanalytics}/ruleengine/parser/RuleParser.java    | 0
 .../securityanalytics}/ruleengine/provider/RuleData.java    | 6 +++---
 .../ruleengine/provider/RuleProvider.java                   | 0
 .../securityanalytics}/ruleengine/rules/ParsedRules.java    | 0
 .../securityanalytics}/ruleengine/rules/Rule.java           | 0
 .../securityanalytics}/ruleengine/rules/StatefulRule.java   | 0
 .../securityanalytics}/ruleengine/rules/StatelessRule.java  | 0
 12 files changed, 5 insertions(+), 5 deletions(-)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/RuleEngine.java (100%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/evaluator/RuleEvaluator.java (100%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/evaluator/StatelessRuleEvaluator.java (100%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/model/DataType.java (85%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/model/Match.java (100%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/parser/RuleParser.java (100%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/provider/RuleData.java (83%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/provider/RuleProvider.java (100%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/rules/ParsedRules.java (100%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/rules/Rule.java (100%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/rules/StatefulRule.java (100%)
 rename rule-engine/src/main/java/{org.opensearch.securityanalytics => org/opensearch/securityanalytics}/ruleengine/rules/StatelessRule.java (100%)

diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/RuleEngine.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/RuleEngine.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/evaluator/RuleEvaluator.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/evaluator/RuleEvaluator.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/model/DataType.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
similarity index 85%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/model/DataType.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
index faa9c812d..f38204230 100644
--- a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/model/DataType.java
+++ b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
@@ -14,8 +14,8 @@ public DataType() {
         this.dataTypeMetadata = new HashMap<>();
     }
 
-    abstract Object getValue(String fieldName);
-    abstract String getTimeFieldName();
+    public abstract Object getValue(String fieldName);
+    public abstract String getTimeFieldName();
 
     public void putDataTypeMetadata(final String key, final String value) {
         dataTypeMetadata.put(key, value);
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/model/Match.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/model/Match.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/parser/RuleParser.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/parser/RuleParser.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/provider/RuleData.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
similarity index 83%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/provider/RuleData.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
index 253db104b..4d98add9d 100644
--- a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/provider/RuleData.java
+++ b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
@@ -12,9 +12,9 @@
 public class RuleData {
     private final String ruleAsString;
     private final Predicate<DataType> evaluationCondition;
-    private final Map<String, Object> metadata;
+    private final Map<String, String> metadata;
 
-    public RuleData(final String ruleAsString, final Predicate<DataType> evaluationCondition, final Map<String, Object> metadata) {
+    public RuleData(final String ruleAsString, final Predicate<DataType> evaluationCondition, final Map<String, String> metadata) {
         this.ruleAsString = ruleAsString;
         this.evaluationCondition = evaluationCondition;
         this.metadata = metadata;
@@ -28,7 +28,7 @@ public Predicate<DataType> getEvaluationCondition() {
         return evaluationCondition;
     }
 
-    public Map<String, Object> getMetadata() {
+    public Map<String, String> getMetadata() {
         return metadata;
     }
 }
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/provider/RuleProvider.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/provider/RuleProvider.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/ParsedRules.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/ParsedRules.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/Rule.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/Rule.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/StatefulRule.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/StatefulRule.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
diff --git a/rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/StatelessRule.java b/rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java
similarity index 100%
rename from rule-engine/src/main/java/org.opensearch.securityanalytics/ruleengine/rules/StatelessRule.java
rename to rule-engine/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java