contrast-agent 3.10.0 → 3.12.1

data/lib/contrast/agent/assess/rule/redos.rb

@@ -17,7 +17,7 @@ module Contrast
               NAME
             end
 
-            def regexp_complexity_check context, trigger_node, source, object, ret, invoked, *args
+            def regexp_complexity_check context, trigger_node, source, object, ret, *args
               # we can arrive here either from:
               #   regexp =~ string
               #   string =~ regexp
@@ -31,9 +31,9 @@ module Contrast
               return unless regexp_vulnerable?(regexp)
 
               # (2) regexp must evaluate against user input
-              if trigger_node.violated?(string) # rubocop:disable Style/GuardClause
-                Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, source, object, ret, invoked + 1, args)
-              end
+              return unless trigger_node.violated?(string)
+
+              Contrast::Agent::Assess::Policy::TriggerMethod.build_finding(context, trigger_node, source, object, ret, args)
             end
 
             protected
@@ -54,7 +54,6 @@ module Contrast
               # will have the same functional characteristics as the original.
               # Regexp#inspect gives you a "more nicely formatted" version than #to_s.
               # Regexp#source will give you the original source.
-              # TODO RUBY-683, would we ever get a hit on one but not the other?
 
               # Use #match? because it doesn't fill out global variables
               # in the way match or =~ do.

data/lib/contrast/agent/assess/tag.rb

@@ -33,6 +33,10 @@ module Contrast
           start_idx...end_idx
         end
 
+        def extends_beyond_string_size? string_length
+          @end_idx > string_length
+        end
+
         # Return if a given tag overlaps this one
         def overlaps? other
           return true if @start_idx <  other.start_idx && @end_idx >= other.start_idx  # we start below other & end in it
@@ -100,27 +104,33 @@ module Contrast
         # The tag is ______ the range
         # rrrrrrr == self.range, the range of the tag
         def compare_range start, stop
-          # r starts and stops below
-          # rrrrrrrrrrrrr
-          #               start       stop
-          return BELOW     if @start_idx <  start && @end_idx <= start
-          # r starts below and finishes within
-          # rrrrrrrrrrrrr
-          #    start       stop
-          return LOW_SPAN  if @start_idx <  start && @end_idx > start && @end_idx <= stop
+          # the range starts below the given values
+          if @start_idx < start
+            # r starts and stops below
+            # rrrrrrrrrrrrr
+            #               start       stop
+            return BELOW if @end_idx <= start
+            # r starts below and finishes within
+            # rrrrrrrrrrrrr
+            #    start       stop
+            return LOW_SPAN if @end_idx > start && @end_idx <= stop
+            # r starts below and finishes above stop
+            #  rrrrrrrrrrrrrrrrrrrrrrrr
+            #     start       stop
+            return WITHOUT if @end_idx > stop
+          end
+
+          # the range starts at or above the given values
           # r is between start and stop
           #        rrrrrrrrrrrrrrr
           # start                   stop
-          return WITHIN    if @start_idx >= start && @start_idx < stop && @end_idx <= stop
-          # r starts below and finishes above stop
-          #  rrrrrrrrrrrrrrrrrrrrrrrr
-          #     start       stop
-          return WITHOUT   if @start_idx <  start && @end_idx > stop
+          return WITHIN if @start_idx < stop && @end_idx <= stop
           # r starts within and finishes above stop
           #           rrrrrrrrrrrrr
           #   start       stop
-          return HIGH_SPAN if @start_idx >= start && @start_idx < stop && @end_idx > stop
+          return HIGH_SPAN if @start_idx < stop && @end_idx > stop
 
+          # the range is above the given values
           # starts and stops above
           #                   rrrrrrrrrrrrr
           #  start       stop

data/lib/contrast/agent/at_exit_hook.rb

@@ -8,26 +8,29 @@ module Contrast
     # This module adds an at_exit hook for us to send messages that may be lost at process exit
     module AtExitHook
       include Contrast::Components::Interface
-      access_component :logging, :contrast_service
-
-      TERMINATION_NOTICE = 'at_exit invoked, host application terminating'
-
+      access_component :logging
       def self.exit_hook
         @_exit_hook ||= begin
                           at_exit do
-                            logger.debug(TERMINATION_NOTICE)
-
-                            context = Contrast::Agent::REQUEST_TRACKER.current
-                            CONTRAST_SERVICE.send_message(context.activity) if context
-
-                            logger.debug(" - current PID  #{ @pid  }")
-                            logger.debug(" - current PPID #{ @ppid }")
-                            logger.debug(" - process PID  #{ Process.pid  }")
-                            logger.debug(" - process PPID #{ Process.ppid }")
+                            on_exit
                           end
                           true
                         end
       end
+
+      # Actions to take when a process exits. Typically called from our
+      # exit_hook, but exposed here for other process terminations, like those
+      # in Kernel#exec
+      def self.on_exit
+        logger.debug('at_exit invoked, host application terminating',
+                     p_id: @pid,
+                     pp_id: @ppid,
+                     process_pid: Process.pid,
+                     process_pp_id: Process.ppid)
+
+        context = Contrast::Agent::REQUEST_TRACKER.current
+        Contrast::Utils::ServiceSenderUtil.send_event_immediately(context.activity) if context
+      end
     end
   end
 end

data/lib/contrast/agent/class_reopener.rb

@@ -2,25 +2,30 @@
 # frozen_string_literal: true
 
 cs__scoped_require 'ripper'
-cs__scoped_require 'contrast/extensions/ruby_core/module'
+cs__scoped_require 'contrast/extension/module'
 cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/logger/log'
 
 # This method is left purposefully at the top level namespace. Moving it
 # elsewhere will break functionality as it executes evaluations against the
 # namespace from which it is called -- ie putting it in Contrast would make all
 # changes it intends for Foo happen to Contrast::Foo instead
 #
-# @param class_name [String] the name of the class in which the eval will
+# @param _class_name [String] the name of the class in which the eval will
 #   redefine functionality
 # @param content [String] the String content that will function as the code in
 #   the given class
-def unbound_eval class_name, content
+def unbound_eval _class_name, content
   # Yuck, this is a top-level method that has to break encapsulation
   # in order to access scoping!
   Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.enter_contrast_scope!
   eval(content) # rubocop:disable Security/Eval
 rescue Exception # rubocop:disable Lint/RescueException
-  Contrast::Agent::SettingsState.log_error("Unable to perform unbound eval of new content for #{ class_name }.")
+  # We can't use components here, so we have to access the log directly. I hate
+  # it, but we'll have to deal with it until we remove 2.5 support.
+  Contrast::Logger::Log.instance.logger.error('Unable to perform unbound eval of new content', module: class_name)
+  # And we need to return nil here, not the value from the logger.
+  nil
 ensure
   Contrast::Components::Scope::COMPONENT_INTERFACE.scope_for_current_ec.exit_contrast_scope!
 end
@@ -115,9 +120,7 @@ module Contrast
       def source_code location, method_name
         file_name = location[0]
         line_number = location[1]
-        return unless file_name && line_number
-        return unless File.exist?(file_name) && File.readable?(file_name)
-        return if File.empty?(file_name)
+        return unless file_contents_available?(file_name, line_number)
 
         files[file_name] = File.readlines(file_name) unless files.key?(file_name)
         lines = files[file_name]
@@ -130,7 +133,11 @@ module Contrast
           break if complete?(code)
         end
         unless complete?(code) && compiles?(code)
-          logger.warn("Failed to capture #{ method_name } in #{ file_name } at #{ line_number } for rewriting.")
+          logger.warn(
+              'Failed to determine sourcecode for rewriting.',
+              file: file_name,
+              method: method_name,
+              line_number: line_number)
           return
         end
         code
@@ -138,6 +145,14 @@ module Contrast
 
       private
 
+      def file_contents_available? file_name, line_number
+        return false unless file_name && line_number
+        return false unless File.exist?(file_name) && File.readable?(file_name)
+        return false if File.empty?(file_name)
+
+        true
+      end
+
       def gather_modules
         return if class_module_path.nil?
 

data/lib/contrast/agent/deadzone/policy/policy.rb

@@ -37,14 +37,14 @@ module Contrast
 
           def add_node node, _node_type = :deadzones
             unless node
-              logger.error(nil, 'Node was nil when adding node to policy')
+              logger.error('Node was nil when adding node to policy')
               return
             end
 
             begin
               node.validate
             rescue ArgumentError => e
-              logger.error(e, e.message)
+              logger.error('Node failed validation', e)
               return
             end
 

data/lib/contrast/agent/disable_reaction.rb

@@ -10,13 +10,12 @@ module Contrast
     # set by the Organization's Administrator
     class DisableReaction
       include Contrast::Components::Interface
-      access_component :logging, :agent
+      access_component :agent, :logging
 
       def self.run _reaction, level
         logger.with_level(
-            nil,
-            'Contrast received instructions to disable itself - Disabling now',
-            level)
+            level,
+            'Contrast received instructions to disable itself - Disabling now')
         AGENT.disable!
       end
     end

data/lib/contrast/agent/exclusion_matcher.rb

@@ -12,6 +12,10 @@ module Contrast
       include Contrast::Components::Interface
       access_component :logging
 
+      # Create a matcher around an exclusion sent from TeamServer.
+      #
+      # @param excl [Contrast::Api::Settings::Exclusion]
+      # @return [Contrast::Agent::ExclusionMatcher]
       def initialize excl
         @exclusion = excl
         @protect = @exclusion.protect
@@ -58,10 +62,10 @@ module Contrast
       # Contrast UI, these comparisons must be done at the end of the input.
       # https://docs.contrastsecurity.com/admin-policymgmt.html#exclude
       def handle_wildcard_code
-        return unless @exclusion.blacklist&.any?
+        return unless @exclusion.denylist&.any?
 
         @wildcard_exclusions = []
-        @exclusion.blacklist.each do |code|
+        @exclusion.denylist.each do |code|
           class_name, method_name = code.split(Contrast::Utils::ObjectShare::COLON)
           class_pattern = build_regexp(class_name, false, true)
           method_pattern = build_regexp(method_name)
@@ -76,7 +80,7 @@ module Contrast
         pattern += Contrast::Utils::ObjectShare::DOLLAR_SIGN if end_anchor
         Regexp.compile(pattern)
       rescue RegexpError => e
-        logger.error(e, "Unable to generate a pattern for #{ pattern }. It will not be used for exclusion matching.")
+        logger.error('Unable to generate a pattern for exclusion matching.', e, pattern: pattern)
       end
 
       def protect?
@@ -87,14 +91,6 @@ module Contrast
         @assess
       end
 
-      def url?
-        @exclusion.type == :URL
-      end
-
-      def input?
-        @exclusion.type == :INPUT
-      end
-
       def code?
         @exclusion.type == :CODE
       end
@@ -131,43 +127,6 @@ module Contrast
             )
       end
 
-      def match_url? url
-        return false unless url?
-        return true if @wildcard_url
-
-        @urls.any? { |test| url.match?(test) }
-      end
-
-      def match_input? value, type
-        return false unless input?
-
-        exclusion_type = @exclusion.input_type
-        case type
-        when :PARAMETER_NAME, :PARAMETER_VALUE
-          return exclusion_type == :PARAMETER && value_match?(value)
-        when :COOKIE_NAME, :COOKIE_VALUE
-          return exclusion_type == :COOKIE && value_match?(value)
-        when :HEADER
-          return exclusion_type == :HEADER && value_match?(value, false)
-        when :BODY
-          return exclusion_type == :BODY
-        when :QUERYSTRING
-          return exclusion_type == :QUERYSTRING
-        end
-
-        false
-      end
-
-      def value_match? value, case_sensitive = true
-        return true if @wildcard_input
-
-        if case_sensitive
-          value == @exclusion.input_name
-        else
-          @exclusion.input_name.casecmp(value).zero?
-        end
-      end
-
       def match_code? stack_trace
         return false unless code?
         return false if @wildcard_exclusions&.empty?

data/lib/contrast/agent/inventory/policy/datastores.rb

@@ -0,0 +1,54 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'contrast/components/interface'
+cs__scoped_require 'contrast/utils/inventory_util'
+
+module Contrast
+  module Agent
+    module Inventory
+      module Policy
+        # This Module is how we apply the Data Store detection required for the
+        # FlowMap feature. It is called from our patches of the targeted methods
+        # in which database operations occur. It is responsible for deciding if
+        # the given invocation is worth reporting or not.
+        module DataStores
+          class << self
+            include Contrast::Components::Interface
+
+            access_component :analysis, :logging
+            # The key used in policy.json to indicate the database type to
+            # report.
+            DATA_STORE_MARKER = 'data_store'
+
+            def report_data_store _method, _exception, properties, object, _args
+              return unless INVENTORY.enabled?
+
+              marker = properties[DATA_STORE_MARKER]
+              return unless marker
+
+              file_report(marker)
+            rescue StandardError => e
+              logger.error('Error reporting database call', e, object: object)
+            end
+
+            private
+
+            def file_report data_store
+              return unless data_store
+
+              context = Contrast::Agent::REQUEST_TRACKER.current
+              return unless context&.activity
+
+              context.activity.technologies[data_store] = true
+              context.activity.query_count += 1
+              return unless context.activity.query_count == 1
+
+              Contrast::Utils::InventoryUtil.append_db_config(context.activity)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/inventory/policy/policy.rb

@@ -5,7 +5,7 @@ cs__scoped_require 'contrast/agent/inventory/policy/trigger_node'
 cs__scoped_require 'contrast/agent/patching/policy/policy'
 
 # classes required by patches in the policy
-cs__scoped_require 'contrast/extensions/ruby_core/inventory/datastores'
+cs__scoped_require 'contrast/agent/inventory/policy/datastores'
 
 module Contrast
   module Agent

data/lib/contrast/agent/middleware.rb

@@ -7,10 +7,11 @@ cs__scoped_require 'rack'
 
 cs__scoped_require 'contrast/security_exception'
 cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/utils/gemfile_reader'
 cs__scoped_require 'contrast/agent/service_heartbeat'
 cs__scoped_require 'contrast/components/interface'
 cs__scoped_require 'contrast/utils/heap_dump_util'
+cs__scoped_require 'contrast/agent/request_handler'
+cs__scoped_require 'contrast/agent/static_analysis'
 
 cs__scoped_require 'contrast/utils/timer'
 cs__scoped_require 'contrast/utils/freeze_util'
@@ -19,331 +20,171 @@ cs__scoped_require 'contrast/utils/service_response_util'
 
 module Contrast
   module Agent
-    # This class allows the Agent to plug into the Rack middleware stack,
-    # providing hooks to relevant application events, such as request start and
-    # application code.
+    # This class allows the Agent to plug into the Rack middleware stack. When the
+    # application is first started, we initialize ourselves as a rack middleware
+    # inside of #initialize. Afterwards, we process each http request and response
+    # as it goes through the middleware stack inside of #call.
     class Middleware
       include Contrast::Components::Interface
-      access_component :contrast_service, :logging, :agent, :analysis, :config, :scope
+      access_component :agent, :config, :logging, :scope, :settings
 
       attr_reader :app
 
-      LOG_DEBUG_MIDDLEWARE_ENV     = 'middleware: log environment'
-      LOG_DEBUG_MIDDLEWARE_LIB     = 'middleware: instrument shared libraries'
-      LOG_DEBUG_MIDDLEWARE_START   = 'middleware: startup agent'
-      LOG_DEBUG_MIDDLEWARE_SERVICE = 'middleware: starting service'
-
-      # allows the Agent to function as a middleware
+      # Allows the Agent to function as a middleware. We perform all our one-time whole-app routines in here
+      # since we're only going to be initialized a single time. Our initialization order is:
+      # - capture the application
+      # - setup the Agent
+      # - startup the Agent
       #
       # @param app [Rack::Application] the application to be instrumented
       # @param _legacy_param [nil] was a flag we no longer need, but Sinatra may call it
       def initialize app, _legacy_param = nil
-        @app = app
-
-        # TODO: RUBY-545 nomenclature here needs to be updated.
-        #   enabled/initialized are really only reflective of whether we were
-        #   able to parse the config, which is the bare minimum for the agent
-        #   to do anything.
+        @app = app  # THIS MUST BE FIRST AND ALWAYS SET!
+        setup_agent # THIS MUST BE SECOND AND ALWAYS CALLED!
         unless AGENT.enabled?
-          logger.error('Contrast middleware initializer detected an early-stage setup failure (likely config parse).  Disabling.')
-          # ensure the agent is disabled (probably redundant)
-          AGENT.disable!
+          logger.error(
+              'The Agent was unable to initialize before the application middleware was initialized. Disabling permanently.')
+          AGENT.disable! # ensure the agent is disabled (probably redundant)
           return
         end
-
-        logger.debug_with_time(LOG_DEBUG_MIDDLEWARE_ENV) do
-          settings.log_environment
-          settings.log_configuration
-          settings.log_specific_libraries
-          settings.log_all_libraries
+        agent_startup_routine
+      end
+
+      # Startup the Agent as part of the initialization process:
+      # - start the service sending thread, responsible for sending and
+      #   processing messages
+      # - start the heartbeat thread, which triggers service startup
+      # - start instrumenting libraries and do a 'catchup' patch for everything
+      #   we didn't see get loaded
+      # - enable TracePoint, which handles all class loads and required
+      #   instrumentation going forward
+      def agent_startup_routine
+        logger.debug_with_time('middleware: starting service') do
+          run_service_threads
         end
 
-        # Initialization order should be:
-        # - start separate service sending threads
-        # - start heartbeat thread, which triggers service startup
-        # - start patching to achieve instrumentation
-
-        logger.debug_with_time(LOG_DEBUG_MIDDLEWARE_SERVICE) do
-          # get threads ready to poll for messages on the queue
-          run_service_sender_thread
-
-          # sends first message to service, which triggers service startup
-          run_service_heartbeat_thread
-        end
-
-        # Default instrumentation
-        logger.debug_with_time(LOG_DEBUG_MIDDLEWARE_LIB) do
-          AGENT.run_instrumentation
+        logger.debug_with_time('middleware: instrument shared libraries and patch') do
+          Contrast::Agent::Patching::Policy::Patcher.patch
         end
 
+        AGENT.enable_tracepoint
         Contrast::Agent::AtExitHook.exit_hook
       end
 
-      def settings
-        Contrast::Agent::FeatureState.instance
-      end
-
-      LOG_DEBUG_MIDDLEWARE_START_CALL = 'middleware: startup agent (call)'
-      # def _call env
+      # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready
+      # to do some processing on a per request basis. If not, we just pass the request along to the
+      # next middleware in the stack.
+      #
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
+      #   and values of this Request
+      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back
+      #   to the user up the Rack framework.
       def call env
         Contrast::Utils::HeapDumpUtil.run
 
         if AGENT.enabled?
-          response = call_with_agent(env)
-          with_contrast_scope { do_static_analysis_catchup }
-          response
+          Contrast::Agent::StaticAnalysis.catchup
+          call_with_agent(env)
         else
-          call_without_agent(env)
+          app.call(env)
         end
       end
 
-      def call_without_agent env
-        app.call(env)
+      private
+
+      def setup_agent
+        SETTINGS.reset_state
+
+        if CONFIG.invalid?
+          AGENT.disable!
+          logger.error('!!! CONFIG FILE IS INVALID - DISABLING CONTRAST AGENT !!!')
+        elsif CONFIG.disabled?
+          AGENT.disable!
+          logger.warn('Contrast disabled by configuration. Continuing without instrumentation.')
+        else
+          AGENT.enable!
+        end
       end
 
-      REQUEST_PATH = 'REQUEST_PATH'
-      LOG_DEBUG_REQUEST = 'HTTP request cycle'
+      # This is where we process each request we intercept as a middleware. We make the request context
+      # available globally so that it can be accessed from anywhere. A RequestHandler object is made
+      # for each request, which handles prefilter and postfilter operations.
       def call_with_agent env
-        rack_request = generate_request(env)
+        return unless AGENT.enabled?
 
-        context = Contrast::Agent::RequestContext.new(rack_request, true) # 'true' here is legacy, by the time we're here, we're ready
+        framework_request = Contrast::Agent.framework_manager.retrieve_request(env)
+        context = Contrast::Agent::RequestContext.new(framework_request)
+        response = nil
 
-        # default response
-        streaming = false
         # make the context available for the lifecycle of this request
         Contrast::Agent::REQUEST_TRACKER.lifespan(context) do
-          # record entire time
-          logger.debug_with_time(LOG_DEBUG_REQUEST) do
-            # process filters that can short circuit application processing
+          request_handler = Contrast::Agent::RequestHandler.new(context)
+
+          logger.debug_with_time('HTTP request cycle') do
+            # prefilter sequence
             with_contrast_scope do
               context.service_extract_request
-              prefilter(context)
+              request_handler.ruleset.prefilter
             end
 
-            # run application by passing request down the Rack chain using
-            # the original env
-            response = application_code(env)
+            response = application_code(env) # pass request down the Rack chain with original env
 
-            # if streaming, allow for early return with application response
-            streaming = possibly_streaming?(env)
-            if streaming
-              with_contrast_scope { postfilter(context, streaming) }
-              return response
+            # postfilter sequence
+            with_contrast_scope do
+              context.extract_after(response) # update context with final response information
+
+              if Contrast::Agent.framework_manager.streaming?(env)
+                context.reset_activity
+                request_handler.stream_safe_postfilter
+              else
+                request_handler.ruleset.postfilter
+                # return response stored in the context in case any postfilter rules updated the response data
+                response = context.response&.rack_response || response
+                request_handler.send_activity_messages
+              end
             end
-
-            # update context with final response information
-            context.extract_after(response)
-
-            # process filters that look at response headers and body
-            with_contrast_scope { postfilter(context) }
           end
         end
 
-        # return the response stored in the context in case any postfilter rules
-        # updated the response data
-        context&.response&.rack_response || response
-
-      # handle security exception
+        response
       rescue StandardError => e
         handle_exception(e)
-      ensure
-        begin
-          handle_ensure(context, streaming)
-        rescue Exception => e # rubocop:disable Lint/RescueException
-          logger.error(e, 'Exception raised while flushing messages to Contrast service!')
-          raise
-        end
-      end
-
-      LOG_WARN_FRAMEWORK_PARSE = 'Unable to generate framework specific request - falling back to Rack'
-      # Given the rack environment of this call, generate a framework specific
-      # request object to bind to this context. In the event that multiple
-      # supported frameworks are defined OR we cannot determine the framework
-      # currently in use or there is an exception during request generation, we
-      # will fall back on Rack::Request object
-      def generate_request env
-        rails_defined = defined?(Rails)
-        sinatra_defined = defined?(Sinatra) && defined?(Sinatra::Request)
-
-        if rails_defined && !sinatra_defined
-          # code from /lib/action_cable/connection/base
-          environment = Rails.application.env_config.merge(env) if defined?(Rails.application) && Rails.application
-          ActionDispatch::Request.new(environment || env)
-        # !defined? currently redundant, won't be if we have more frameworks
-        elsif sinatra_defined && !rails_defined
-          Sinatra::Request.new(env)
-        else # many OR none
-          Rack::Request.new(env)
-        end
-      rescue StandardError => e
-        logger.warn(e, LOG_WARN_FRAMEWORK_PARSE)
-        Rack::Request.new(env)
-      end
-
-      LOG_ERROR_STREAM_CHECK = 'Unable to check for streaming'
-      ACTION_CONTROLLER_INSTANCE = 'action_controller.instance'
-      # First check to see if an action could potentially be streaming a response
-      def possibly_streaming? env
-        return false unless defined?(ActionController::Live)
-
-        env[ACTION_CONTROLLER_INSTANCE].cs__class.included_modules.include?(ActionController::Live)
-      rescue StandardError => e
-        logger.warn(LOG_ERROR_STREAM_CHECK, e)
       end
 
-      LOG_ERROR_ENSURE = 'Context not defined in middleware ensure.'
-      # Send a server activity message and an application activity message
-      # and return response
-      def handle_ensure context, streaming
-        if context
-          logger.debug('Middleware request lifecycle complete; flushing context activity to Contrast service.')
-          Contrast::Utils::GemfileReader.instance.generate_library_usage(context.activity)
-          [context.server_activity, context.activity, context.observed_route].each do |message|
-            CONTRAST_SERVICE.send_message message
-          end
-        else
-          logger.error(LOG_ERROR_ENSURE)
+      def application_code env
+        logger.trace_with_time('application') do
+          app.call(env)
         end
-        return unless streaming
-
-        context.reset_activity
+      rescue Contrast::SecurityException => e
+        logger.trace('Security Exception raised during application lifecycle to prevent an attack', e)
+        raise e
       end
 
       SECURITY_EXCEPTION_MARKER = 'Contrast::SecurityException'
-      LOG_RETHROW_ERROR = 'Re-throwing original error'
       # We're only going to suppress SecurityExceptions indicating a blocked attack.
       # And, only if the config.agent.ruby.exceptions.capture? is set
       def handle_exception exception
         if exception.is_a?(Contrast::SecurityException) ||
               exception.message&.include?(SECURITY_EXCEPTION_MARKER)
 
-          exception_control = Contrast::Agent::FeatureState.instance.exception_control
+          exception_control = AGENT.exception_control
           raise exception unless exception_control[:enable]
 
           [exception_control[:status], {}, [exception_control[:message]]]
         else
-          # Log original re-raise
-          logger.debug(exception, LOG_RETHROW_ERROR)
+          logger.debug('Re-throwing original error', exception)
           raise exception
         end
       end
 
-      LOG_DEBUG_PREFILTER = 'prefilter'
-      LOG_ERROR_PREFILTER = 'Unexpected exception during prefilter'
-      # Iterate through rules that only depend upon the request object.
-      def prefilter context
-        return unless context.app_loaded?
-
-        logger.debug_with_time(LOG_DEBUG_PREFILTER) do
-          prefilter_assess(context) if ASSESS.enabled? && context.analyze_request?
-          prefilter_protect(context) if PROTECT.enabled?
-        end
-      rescue Contrast::SecurityException => e
-        logger.warn("RASP threw security exception in prefilter: exception=#{ e.message }")
-        raise e
-      rescue StandardError => e
-        logger.error(LOG_ERROR_PREFILTER, e)
-      end
-
-      def prefilter_assess context
-        rules = ASSESS.rules
-        logger.debug("Assess: Running #{ rules.length } rules in prefilter.")
-        prefilter_rules(rules, context)
-      end
-
-      def prefilter_protect context
-        rules = PROTECT.rules
-        logger.debug("Protect: Running #{ rules.length } rules in prefilter.")
-        prefilter_rules(rules, context)
-      end
-
-      def prefilter_rules rules, context
-        rules.each do |_, rule|
-          rule.prefilter(context)
-        end
-      end
-
-      LOG_DEBUG_APPLICATION = 'application'
-      # Run the next level of the Rack stack as normal
-      def application_code env
-        logger.debug_with_time(LOG_DEBUG_APPLICATION) do
-          app.call(env)
-        end
-      rescue Contrast::SecurityException => e
-        logger.info("RASP threw security exception in application code: exception=#{ e.message }")
-        raise e
-      end
-
-      LOG_DEBUG_POSTFILTER = 'postfilter'
-      LOG_ERROR_POSTFILTER = 'Unexpected exception during postfilter'
-      # Iterate through rules that depend on the full response object
-      def postfilter context, streaming = false
-        return unless context.app_loaded?
-
-        logger.debug_with_time(LOG_DEBUG_POSTFILTER) do
-          if ASSESS.enabled? && context.analyze_response?
-            logger.debug("Assess:\tRunning #{ ASSESS.rules.length } rules in postfilter.")
-            postfilter_rules(ASSESS.rules, context, streaming)
-          end
-
-          if PROTECT.enabled?
-            logger.debug("Protect:\tRunning #{ PROTECT.rules.length } rules in postfilter.")
-            postfilter_rules(PROTECT.rules, context, streaming)
-          end
-        end
-      rescue Contrast::SecurityException => e
-        logger.warn("RASP threw security exception: exception=#{ e.message }")
-        raise e
-      rescue StandardError => e
-        logger.error(LOG_ERROR_POSTFILTER, e)
-      end
-
-      # Iterate through a list of rules with the current context and the full response body
-      def postfilter_rules rules, context, streaming
-        rules.each do |_, rule|
-          if !streaming || rule.stream_safe?
-            rule.postfilter(context)
-          else
-            logger.debug("Skipping rule: #{ rule.name } in streamed response.")
-          end
-        end
-      end
-
-      def run_service_heartbeat_thread
-        # Rspec stubs over this method for simplicity's sake in testing.
-        # Take care if you refactor this back into #initialize.
-        Contrast::Agent::ServiceHeartbeat.new.start
-      end
-
-      def run_service_sender_thread
-        # Rspec stubs over this method for simplicity's sake in testing.
-        # Take care if you refactor this back into #initialize.
+      # TODO: RUBY-920
+      # Move this somewhere that controls our threads, ensuring they're
+      # recreated on Fork
+      #
+      # Rspec stubs over these methods for simplicity's sake in testing
+      def run_service_threads
         Contrast::Utils::ServiceSenderUtil.start
-      end
-
-      LOG_DEBUG_MW_INV = 'middleware: send inventory'
-      LOG_WARN_STATIC_ANALYSIS = 'Unable to run post-initialization static analysis'
-      # this is memoized, should only be meaningful after the first agented
-      # HTTP request
-      def do_static_analysis_catchup
-        @_do_static_analysis_catchup ||= begin
-                                           # Everything in here should be asynchronous, as we need to return
-                                           # the HTTP response from middleware ASAP.
-
-                                           # Review already-loaded inventory
-                                           logger.debug_with_time('initializer: report loaded gemset') do
-                                             Contrast::Utils::GemfileReader.instance.map_loaded_classes
-                                           end
-
-                                           # Report already-loaded inventory
-                                           logger.debug_with_time(LOG_DEBUG_MW_INV) do
-                                             settings.send_inventory_message
-                                           end
-
-                                           true
-                                         end
-      rescue StandardError => e
-        logger.warn(LOG_WARN_STATIC_ANALYSIS, e)
+        Contrast::Agent::ServiceHeartbeat.new.start
       end
     end
   end