support multiple rules per category

Signed-off-by: Jean Mertz <[email protected]>

Author: JeanMertz

aw-query/src/datatype.rs

@@ -1,10 +1,11 @@
 use std::collections::HashMap;
 use std::fmt;
+use std::str::FromStr as _;
 
 use super::functions;
 use super::QueryError;
 use aw_models::Event;
-use aw_transform::classify::{KeyValueRule, RegexRule, Rule};
+use aw_transform::classify::{KeyValueRule, LogicalOperator, LogicalRule, RegexRule, Rule};
 
 use serde::{Serialize, Serializer};
 use serde_json::value::Value;
@@ -300,6 +301,32 @@ impl TryFrom<&DataType> for Rule {
 
         match rtype.as_str() {
             "none" => Ok(Self::None),
+            "or" | "and" => {
+                let Some(rules) = obj.get("rules") else {
+                    return Err(QueryError::InvalidFunctionParameters(format!(
+                        "{} rule is missing the 'rules' field",
+                        rtype
+                    )));
+                };
+
+                let rules = match rules {
+                    DataType::List(rules) => rules
+                        .iter()
+                        .map(Rule::try_from)
+                        .collect::<Result<Vec<_>, _>>()?,
+                    _ => {
+                        return Err(QueryError::InvalidFunctionParameters(format!(
+                            "the rules field of the {} rule is not a list",
+                            rtype
+                        )))
+                    }
+                };
+
+                let operator = LogicalOperator::from_str(rtype)
+                    .map_err(QueryError::InvalidFunctionParameters)?;
+
+                Ok(Rule::Logical(LogicalRule::new(rules, operator)))
+            }
             "regex" => parse_regex_rule(obj),
             "keyvalue" => {
                 let Some(rules) = obj.get("rules") else {

aw-transform/src/classify.rs

@@ -1,4 +1,4 @@
-use std::collections::HashMap;
+use std::{collections::HashMap, str::FromStr};
 
 /// Transforms for classifying (tagging and categorizing) events.
 ///
@@ -8,6 +8,7 @@ use fancy_regex::Regex;
 
 pub enum Rule {
     None,
+    Logical(LogicalRule),
     Regex(RegexRule),
     KeyValue(KeyValueRule),
 }
@@ -16,6 +17,7 @@ impl RuleTrait for Rule {
     fn matches(&self, event: &Event) -> bool {
         match self {
             Rule::None => false,
+            Rule::Logical(rule) => rule.matches(event),
             Rule::Regex(rule) => rule.matches(event),
             Rule::KeyValue(rule) => rule.matches(event),
         }
@@ -92,6 +94,45 @@ impl RuleTrait for KeyValueRule {
     }
 }
 
+pub enum LogicalOperator {
+    Or,
+    And,
+}
+
+impl FromStr for LogicalOperator {
+    type Err = String;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "or" => Ok(Self::Or),
+            "and" => Ok(Self::And),
+            _ => Err(format!("Invalid logical operator: {}", s)),
+        }
+    }
+}
+
+pub struct LogicalRule {
+    rules: Vec<Rule>,
+    operator: LogicalOperator,
+}
+
+impl LogicalRule {
+    pub fn new(rules: Vec<Rule>, operator: LogicalOperator) -> Self {
+        Self { rules, operator }
+    }
+}
+
+impl RuleTrait for LogicalRule {
+    fn matches(&self, event: &Event) -> bool {
+        use LogicalOperator::{And, Or};
+
+        match self.operator {
+            Or => self.rules.iter().any(|rule| rule.matches(event)),
+            And => self.rules.iter().all(|rule| rule.matches(event)),
+        }
+    }
+}
+
 /// Categorizes a list of events
 ///
 /// An event can only have one category, although the category may have a hierarchy,