Update Error Types

eric-forte-elastic · eric-forte-elastic · commit 013ad5f87441 · 2025-09-23T11:59:27.000-04:00
diff --git a/detection_rules/esql_errors.py b/detection_rules/esql_errors.py
@@ -1,7 +1,5 @@
 """ESQL exceptions."""
 
-from marshmallow.exceptions import ValidationError
-
 __all__ = (
     "EsqlSchemaError",
     "EsqlSemanticError",
@@ -10,21 +8,29 @@
 )
 
 
-class EsqlSchemaError(ValidationError):
-    """Error for missing fields in ESQL."""
+class EsqlSchemaError(Exception):
+    """Error in ESQL schema. Validated via Kibana until AST is available."""
+
+    def __init__(self, message: str):
+        super().__init__(message)
 
 
-class EsqlSyntaxError(ValidationError):
-    """Error with ESQL syntax."""
+class EsqlSyntaxError(Exception):
+    """Error with ESQL syntax. Validated via Kibana until AST is available."""
 
-    # TODO: Update this to a Kibana Error extension? Perhaps?
+    def __init__(self, message: str):
+        super().__init__(message)
 
 
-class EsqlSemanticError(ValidationError):
-    """Error with ESQL semantics."""
+class EsqlSemanticError(Exception):
+    """Error with ESQL semantics. Validated via Kibana until AST is available."""
 
-    # TODO: Update this to a Kibana Error extension? Perhaps?
+    def __init__(self, message: str):
+        super().__init__(message)
 
 
-class EsqlTypeMismatchError(ValidationError):
+class EsqlTypeMismatchError(Exception):
     """Error when validating types in ESQL."""
+
+    def __init__(self, message: str):
+        super().__init__(message)
diff --git a/detection_rules/index_mappings.py b/detection_rules/index_mappings.py
@@ -58,7 +58,6 @@ def prepare_integration_mappings(
 
     for integration in rule_integrations:
         package = integration
-        # TODO check should be latest or least?
         package_version, _ = integrations.find_latest_compatible_version(
             package,
             "",
diff --git a/detection_rules/misc.py b/detection_rules/misc.py
@@ -16,8 +16,10 @@
 import requests
 from elastic_transport import ObjectApiResponse
 from elasticsearch import AuthenticationException, Elasticsearch
+from elasticsearch.exceptions import BadRequestError
 from kibana import Kibana  # type: ignore[reportMissingTypeStubs]
 
+from .esql_errors import EsqlSchemaError
 from .utils import add_params, cached, combine_dicts, load_etc_dump
 
 LICENSE_HEADER = """
@@ -427,17 +429,21 @@ def get_simulated_index_template_mappings(elastic_client: Elasticsearch, name: s
 
 def create_index_with_index_mapping(
     elastic_client: Elasticsearch, index_name: str, mappings: dict[str, Any]
-) -> ObjectApiResponse[Any]:
+) -> ObjectApiResponse[Any] | None:
     """Create an index with the specified mappings and settings to support large number of fields and nested objects."""
-    return elastic_client.indices.create(
-        index=index_name,
-        mappings={"properties": mappings},
-        settings={
-            "index.mapping.total_fields.limit": 10000,
-            "index.mapping.nested_fields.limit": 500,
-            "index.mapping.nested_objects.limit": 10000,
-        },
-    )
+    try:
+        return elastic_client.indices.create(
+            index=index_name,
+            mappings={"properties": mappings},
+            settings={
+                "index.mapping.total_fields.limit": 10000,
+                "index.mapping.nested_fields.limit": 500,
+                "index.mapping.nested_objects.limit": 10000,
+            },
+        )
+    except BadRequestError as e:
+        if e.status_code == 400 and "validation_exception" in str(e):
+            raise EsqlSchemaError(str(e)) from e
 
 
 def get_existing_mappings(elastic_client: Elasticsearch, indices: list[str]) -> tuple[dict[str, Any], dict[str, Any]]:
diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py
@@ -32,6 +32,7 @@
 from .beats import get_datasets_and_modules, parse_beats_from_index
 from .config import CUSTOM_RULES_DIR, load_current_package_version, parse_rules_config
 from .custom_schemas import update_auto_generated_schema
+from .esql_errors import EsqlTypeMismatchError
 from .index_mappings import (
     create_remote_indices,
     execute_query_against_indices,
@@ -57,15 +58,6 @@
 )
 KQL_ERROR_TYPES = kql.KqlCompileError | kql.KqlParseError
 RULES_CONFIG = parse_rules_config()
-# TODO ESQL specific error message to catch Kibana Bad Request Errors
-# TODO ESQL.py file to hold ESQL specific logic for Errors, subclass exceptions
-# Expect to support the following as ESQL (middle 2 from Kibana)
-"""
-    EsqlSchemaError
-    EsqlSemanticError
-    EsqlSyntaxError
-    EsqlTypeMismatchError
-"""
 
 
 @dataclass(frozen=True)
@@ -786,8 +778,7 @@ def validate_columns_index_mapping(
                 )
 
         if mismatched_columns:
-            # TODO this should be an ESQL type Error (check to match EQL error structure)
-            raise ValueError("Column validation errors:\n" + "\n".join(mismatched_columns))
+            raise EsqlTypeMismatchError("Column validation errors:\n" + "\n".join(mismatched_columns))
 
         return True
 
