render unmapped fields comment

alexvolha · alexvolha · commit 83c12c8436ff · 2024-07-11T17:01:37.000+03:00
diff --git a/uncoder-core/app/translator/core/exceptions/core.py b/uncoder-core/app/translator/core/exceptions/core.py
@@ -10,19 +10,14 @@ class BasePlatformException(BaseException):
 
 
 class StrictPlatformException(BasePlatformException):
-    field_name: str = None
-
-    def __init__(
-        self, platform_name: str, field_name: str, mapping: Optional[str] = None, detected_fields: Optional[list] = None
-    ):
+    def __init__(self, platform_name: str, fields: list[str], mapping: Optional[str] = None):
         message = (
             f"Platform {platform_name} has strict mapping. "
-            f"Source fields: {', '.join(detected_fields) if detected_fields else field_name} has no mapping."
+            f"Source fields: {', '.join(fields)} have no mapping."
             f" Mapping file: {mapping}."
             if mapping
             else ""
         )
-        self.field_name = field_name
         super().__init__(message)
 
 
diff --git a/uncoder-core/app/translator/core/mapping.py b/uncoder-core/app/translator/core/mapping.py
@@ -158,17 +158,18 @@ def get_source_mapping(self, source_id: str) -> Optional[SourceMapping]:
     def default_mapping(self) -> SourceMapping:
         return self._source_mappings[DEFAULT_MAPPING_NAME]
 
-    def check_fields_mapping_existence(self, field_tokens: list[Field], source_mapping: SourceMapping) -> list[Field]:
-        not_mapped = []
+    def check_fields_mapping_existence(self, field_tokens: list[Field], source_mapping: SourceMapping) -> list[str]:
+        unmapped = []
         for field in field_tokens:
             generic_field_name = field.get_generic_field_name(source_mapping.source_id)
             mapped_field = source_mapping.fields_mapping.get_platform_field_name(generic_field_name=generic_field_name)
-            if not mapped_field:
-                if self.is_strict_mapping:
-                    raise StrictPlatformException(field_name=field.source_name, platform_name=self.details.name)
-                not_mapped.append(field)
+            if not mapped_field and field.source_name not in unmapped:
+                unmapped.append(field.source_name)
 
-        return not_mapped
+        if self.is_strict_mapping and unmapped:
+            raise StrictPlatformException(platform_name=self.details.name, fields=unmapped)
+
+        return unmapped
 
     @staticmethod
     def map_field(field: Field, source_mapping: SourceMapping) -> list[str]:
diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py
@@ -207,10 +207,9 @@ def wrap_with_not_supported_functions(self, query: str, not_supported_functions:
 
         return query
 
-    def wrap_with_unmapped_fields(self, query: str, fields: Optional[list[Field]]) -> str:
+    def wrap_with_unmapped_fields(self, query: str, fields: Optional[list[str]]) -> str:
         if fields:
-            joined = ", ".join(field.source_name for field in fields)
-            return query + "\n\n" + self.wrap_with_comment(f"{self.unmapped_fields_text}{joined}")
+            return query + "\n\n" + self.wrap_with_comment(f"{self.unmapped_fields_text}{', '.join(fields)}")
         return query
 
     def wrap_with_comment(self, value: str) -> str:
@@ -256,7 +255,7 @@ def generate_functions(self, functions: list[Function], source_mapping: SourceMa
     def map_predefined_field(self, predefined_field: PredefinedField) -> str:
         if not (mapped_predefined_field_name := self.predefined_fields_map.get(predefined_field.name)):
             if self.mappings.is_strict_mapping:
-                raise StrictPlatformException(field_name=predefined_field.name, platform_name=self.details.name)
+                raise StrictPlatformException(platform_name=self.details.name, fields=[predefined_field.name])
 
             return predefined_field.name
 
@@ -309,14 +308,9 @@ def apply_token(self, token: QUERY_TOKEN_TYPE, source_mapping: SourceMapping) ->
 
     def generate_query(self, tokens: list[QUERY_TOKEN_TYPE], source_mapping: SourceMapping) -> str:
         result_values = []
-        unmapped_fields = set()
         for token in tokens:
-            try:
-                result_values.append(self.apply_token(token=token, source_mapping=source_mapping))
-            except StrictPlatformException as err:
-                unmapped_fields.add(err.field_name)
-        if unmapped_fields:
-            raise StrictPlatformException(self.details.name, "", source_mapping.source_id, sorted(unmapped_fields))
+            result_values.append(self.apply_token(token=token, source_mapping=source_mapping))
+
         return "".join(result_values)
 
     def wrap_with_meta_info(self, query: str, meta_info: Optional[MetaInfoContainer]) -> str:
@@ -349,7 +343,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
@@ -418,7 +412,7 @@ def generate_raw_log_fields(self, fields: list[Field], source_mapping: SourceMap
                     generic_field_name=generic_field_name
                 )
             if not mapped_field and self.mappings.is_strict_mapping:
-                raise StrictPlatformException(field_name=field.source_name, platform_name=self.details.name)
+                raise StrictPlatformException(platform_name=self.details.name, fields=[field.source_name])
             if prefix_list := self.process_raw_log_field_prefix(field=mapped_field, source_mapping=source_mapping):
                 for prefix in prefix_list:
                     if prefix not in defined_raw_log_fields:
diff --git a/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_rule.py b/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_rule.py
@@ -24,7 +24,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.managers import render_manager
 from app.translator.platforms.chronicle.const import DEFAULT_CHRONICLE_SECURITY_RULE, chronicle_rule_details
 from app.translator.platforms.chronicle.mapping import ChronicleMappings, chronicle_rule_mappings
@@ -112,7 +111,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,  # ,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py
@@ -25,7 +25,6 @@
 from app.translator.core.mitre import MitreConfig
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.managers import render_manager
 from app.translator.platforms.base.lucene.mapping import LuceneMappings
 from app.translator.platforms.elasticsearch.const import ELASTICSEARCH_DETECTION_RULE, elasticsearch_rule_details
@@ -88,7 +87,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/elast_alert.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/elast_alert.py
@@ -23,7 +23,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.managers import render_manager
 from app.translator.platforms.base.lucene.mapping import LuceneMappings
 from app.translator.platforms.elasticsearch.const import ELASTICSEARCH_ALERT, elastalert_details
@@ -61,7 +60,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/kibana.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/kibana.py
@@ -24,7 +24,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.managers import render_manager
 from app.translator.platforms.base.lucene.mapping import LuceneMappings
 from app.translator.platforms.elasticsearch.const import KIBANA_RULE, KIBANA_SEARCH_SOURCE_JSON, kibana_rule_details
@@ -57,7 +56,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/xpack_watcher.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/xpack_watcher.py
@@ -24,7 +24,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.managers import render_manager
 from app.translator.platforms.base.lucene.mapping import LuceneMappings
 from app.translator.platforms.elasticsearch.const import XPACK_WATCHER_RULE, xpack_watcher_details
@@ -57,7 +56,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
diff --git a/uncoder-core/app/translator/platforms/forti_siem/renders/forti_siem_rule.py b/uncoder-core/app/translator/platforms/forti_siem/renders/forti_siem_rule.py
@@ -26,7 +26,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer, TokenizedQueryContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.core.models.query_tokens.field_value import FieldValue
 from app.translator.core.models.query_tokens.identifier import Identifier
 from app.translator.core.render import BaseFieldValueRender, PlatformQueryRender
@@ -304,7 +303,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         fields: Optional[set[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
diff --git a/uncoder-core/app/translator/platforms/logrhythm_axon/renders/logrhythm_axon_rule.py b/uncoder-core/app/translator/platforms/logrhythm_axon/renders/logrhythm_axon_rule.py
@@ -25,7 +25,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.managers import render_manager
 from app.translator.platforms.logrhythm_axon.const import DEFAULT_LOGRHYTHM_AXON_RULE, logrhythm_axon_rule_details
 from app.translator.platforms.logrhythm_axon.escape_manager import logrhythm_rule_escape_manager
@@ -66,7 +65,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
diff --git a/uncoder-core/app/translator/platforms/logscale/renders/logscale_alert.py b/uncoder-core/app/translator/platforms/logscale/renders/logscale_alert.py
@@ -24,7 +24,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.managers import render_manager
 from app.translator.platforms.logscale.const import DEFAULT_LOGSCALE_ALERT, logscale_alert_details
 from app.translator.platforms.logscale.mapping import LogScaleMappings, logscale_alert_mappings
@@ -53,7 +52,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
diff --git a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_rule.py b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_rule.py
@@ -25,7 +25,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.managers import render_manager
 from app.translator.platforms.microsoft.const import DEFAULT_MICROSOFT_SENTINEL_RULE, microsoft_sentinel_rule_details
 from app.translator.platforms.microsoft.mapping import MicrosoftSentinelMappings, microsoft_sentinel_rule_mappings
@@ -78,7 +77,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
diff --git a/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_rule.py b/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_rule.py
@@ -26,7 +26,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer, RawQueryContainer, TokenizedQueryContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.core.models.query_tokens.field_value import FieldValue
 from app.translator.managers import render_manager
 from app.translator.platforms.base.lucene.mapping import LuceneMappings
@@ -65,7 +64,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -16,18 +16,15 @@
 limitations under the License.
 -----------------------------------------------------------------
 """
-from contextlib import suppress
 from typing import ClassVar, Optional, Union
 
 from app.translator.const import DEFAULT_VALUE_TYPE
 from app.translator.core.const import QUERY_TOKEN_TYPE
-from app.translator.core.context_vars import preset_log_source_str_ctx_var, return_only_first_query_ctx_var
+from app.translator.core.context_vars import preset_log_source_str_ctx_var
 from app.translator.core.custom_types.tokens import OperatorType
 from app.translator.core.custom_types.values import ValueType
-from app.translator.core.exceptions.core import StrictPlatformException
-from app.translator.core.mapping import DEFAULT_MAPPING_NAME, SourceMapping
+from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
-from app.translator.core.models.query_container import TokenizedQueryContainer
 from app.translator.core.models.query_tokens.field_value import FieldValue
 from app.translator.core.render import BaseFieldFieldRender, BaseFieldValueRender, PlatformQueryRender
 from app.translator.core.str_value_manager import StrValue
@@ -224,32 +221,3 @@ def apply_token(self, token: QUERY_TOKEN_TYPE, source_mapping: SourceMapping) ->
     @staticmethod
     def _finalize_search_query(query: str) -> str:
         return f"| filter {query}" if query else ""
-
-    def generate_from_tokenized_query_container(self, query_container: TokenizedQueryContainer) -> str:
-        queries_map = {}
-        errors = []
-        source_mappings = self._get_source_mappings(query_container.meta_info.source_mapping_ids)
-
-        last_mapping_index = len(source_mappings) - 1
-        for index, source_mapping in enumerate(source_mappings):
-            try:
-                finalized_query = self._generate_from_tokenized_query_container_by_source_mapping(
-                    query_container, source_mapping
-                )
-                if return_only_first_query_ctx_var.get() is True:
-                    return finalized_query
-                queries_map[source_mapping.source_id] = finalized_query
-            except StrictPlatformException as err:
-                errors.append(err)
-                if index != last_mapping_index or source_mapping.source_id == DEFAULT_MAPPING_NAME or queries_map:
-                    continue
-
-                with suppress(StrictPlatformException):
-                    finalized_query = self._generate_from_tokenized_query_container_by_source_mapping(
-                        query_container, self.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)
-                    )
-                    queries_map[source_mapping.source_id] = finalized_query
-
-        if not queries_map and errors:
-            raise errors[0]
-        return self.finalize(queries_map)
diff --git a/uncoder-core/app/translator/platforms/splunk/renders/splunk_alert.py b/uncoder-core/app/translator/platforms/splunk/renders/splunk_alert.py
@@ -23,7 +23,6 @@
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer
-from app.translator.core.models.query_tokens.field import Field
 from app.translator.managers import render_manager
 from app.translator.platforms.splunk.const import DEFAULT_SPLUNK_ALERT, splunk_alert_details
 from app.translator.platforms.splunk.mapping import SplunkMappings, splunk_alert_mappings
@@ -63,7 +62,7 @@ def finalize_query(
         meta_info: Optional[MetaInfoContainer] = None,
         source_mapping: Optional[SourceMapping] = None,  # noqa: ARG002
         not_supported_functions: Optional[list] = None,
-        unmapped_fields: Optional[list[Field]] = None,
+        unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
