contrast-agent 3.9.0 → 3.11.0

data/lib/contrast/agent/feature_state.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 cs__scoped_require 'contrast/agent/settings_state'
-cs__scoped_require 'contrast/extensions/ruby_core/module'
 cs__scoped_require 'contrast/utils/boolean_util'
 
 module Contrast
@@ -26,9 +25,6 @@ module Contrast
           include Contrast::Components::Interface
           access_component :config
 
-          # Ruby 2.4 does not nicely compare to nil, so we have to include
-          # these wrapper methods. RUBY-179 has the task to update this on
-          # EOL of 2.4 support
           def false? config
             Contrast::Utils::BooleanUtil.false?(config)
           end
@@ -38,57 +34,69 @@ module Contrast
           end
 
           def inventory_enabled?
-            !false?(CONFIG.root.inventory.enable)
+            @_inventory_enabled = !false?(CONFIG.root.inventory.enable) if @_inventory_enabled.nil?
+            @_inventory_enabled
           end
 
           def protect_forcibly_enabled?
-            true?(CONFIG.root.protect.enable)
+            @_protect_forcibly_enabled = true?(CONFIG.root.protect.enable) if @_protect_forcibly_enabled.nil?
+            @_protect_forcibly_enabled
           end
 
           def protect_forcibly_disabled?
-            false?(CONFIG.root.protect.enable)
+            @_protect_forcibly_disabled = false?(CONFIG.root.protect.enable) if @_protect_forcibly_disabled.nil?
+            @_protect_forcibly_disabled
           end
 
           def assess_forcibly_enabled?
-            true?(CONFIG.root.assess.enable)
+            @_assess_forcibly_enabled = true?(CONFIG.root.assess.enable) if @_assess_forcibly_enabled.nil?
+            @_assess_forcibly_enabled
           end
 
           def assess_forcibly_disabled?
-            false?(CONFIG.root.assess.enable)
+            @_assess_forcibly_disabled = false?(CONFIG.root.assess.enable) if @_assess_forcibly_disabled.nil?
+            @_assess_forcibly_disabled
           end
 
           def assess_track_frozen_sources?
-            !false?(CONFIG.root.agent.ruby.track_frozen_sources)
+            @_assess_track_frozen_sources = !false?(CONFIG.root.agent.ruby.track_frozen_sources) if @_assess_track_frozen_sources.nil?
+            @_assess_track_frozen_sources
           end
 
           def scan_response?
-            true?(CONFIG.root.assess.enable_scan_response)
+            @_scan_response = !false?(CONFIG.root.assess.enable_scan_response) if @_scan_response.nil?
+            @_scan_response
           end
 
           def omit_body?
-            true?(CONFIG.root.agent.omit_body)
+            @_omit_body = true?(CONFIG.root.agent.omit_body) if @_omit_body.nil?
+            @_omit_body
           end
 
           def require_scanning_enabled?
-            !false?(CONFIG.root.agent.ruby.require_scan)
-          end
-
-          def heap_dump_enabled?
-            true?(CONFIG.root.agent.heap_dump.enable)
+            @_require_scanning_enabled = !false?(CONFIG.root.agent.ruby.require_scan) if @_require_scanning_enabled.nil?
+            @_require_scanning_enabled
           end
 
           def service_forcibly_disabled?
-            false?(CONFIG.root.agent.start_bundled_service)
+            @_service_forcibly_disabled = false?(CONFIG.root.agent.start_bundled_service) if @_service_forcibly_disabled.nil?
+            @_service_forcibly_disabled
           end
 
           def report_any_command_execution?
-            ctrl = protect_rule_config[Contrast::Agent::Protect::Rule::CmdInjection::NAME]
-            true?(ctrl.disable_system_commands)
+            if @_report_any_command_execution.nil?
+              ctrl = protect_rule_config[Contrast::Agent::Protect::Rule::CmdInjection::NAME]
+              @_report_any_command_execution = true?(ctrl.disable_system_commands)
+            end
+            @_report_any_command_execution
           end
 
           def report_custom_code_sysfile_access?
-            ctrl = protect_rule_config[Contrast::Agent::Protect::Rule::PathTraversal::NAME]
-            true?(ctrl.detect_custom_code_accessing_system_files)
+            if @_report_custom_code_sysfile_access.nil?
+              ctrl = protect_rule_config[Contrast::Agent::Protect::Rule::PathTraversal::NAME]
+              @_report_custom_code_sysfile_access = true?(ctrl.detect_custom_code_accessing_system_files)
+            end
+            @_report_custom_code_sysfile_access
           end
 
           # Determines if the Process we're currently in matches that of the
@@ -141,14 +149,6 @@ module Contrast
             SETTINGS.exclusion_matchers
           end
 
-          def url_exclusions
-            exclusions.select(&:url?)
-          end
-
-          def input_exclusions
-            exclusions.select(&:input?)
-          end
-
           def code_exclusions
             exclusions.select(&:code?)
           end
@@ -238,36 +238,9 @@ module Contrast
         include Contrast::Components::Interface
         access_component :config
 
-        def heap_dump_control
-          {
-              path: File.absolute_path(CONFIG.root.agent.heap_dump.path),
-              count: CONFIG.root.agent.heap_dump.count.to_i,
-              window: CONFIG.root.agent.heap_dump.window_ms.to_f / 1000,
-              delay: CONFIG.root.agent.heap_dump.delay_ms.to_f / 1000,
-              clean: true?(CONFIG.root.agent.heap_dump.clean)
-          }
-        end
-
-        DEFAULT_SAMPLING_ENABLED            = false
-        DEFAULT_SAMPLING_BASELINE           = 5
-        DEFAULT_SAMPLING_REQUEST_FREQUENCY  = 5
-        DEFAULT_SAMPLING_RESPONSE_FREQUENCY = 25
-        DEFAULT_SAMPLING_WINDOW_MS          = 180_000 # 3 minutes, arbitrary value from Java agent
-        def sampling_control settings = @sampling_features
-          cas = CONFIG.root.assess&.sampling
-
-          {
-              enabled: [cas&.enable, settings&.enabled, DEFAULT_SAMPLING_ENABLED] .reject(&:nil?).first,
-              baseline: [cas&.baseline, settings&.baseline, DEFAULT_SAMPLING_BASELINE] .map(&:to_i).find(&:positive?),
-              request_frequency: [cas&.request_frequency, settings&.request_frequency, DEFAULT_SAMPLING_REQUEST_FREQUENCY] .map(&:to_i).find(&:positive?),
-              response_frequency: [cas&.response_frequency, settings&.response_frequency, DEFAULT_SAMPLING_RESPONSE_FREQUENCY].map(&:to_i).find(&:positive?),
-              window: [cas&.window_ms, settings&.window_ms, DEFAULT_SAMPLING_WINDOW_MS] .map(&:to_i).find(&:positive?)
-          }
-        end
-
         DEFAULT_LOG_FILENAME = 'contrast_service.log'
         def service_control
-          {
+          @_service_control ||= {
               host: CONFIG.root.agent.service.host || Contrast::Configuration::DEFAULT_HOST,
               port: CONFIG.root.agent.service.port || Contrast::Configuration::DEFAULT_PORT,
               socket_path: CONFIG.root.agent.service.socket,
@@ -276,7 +249,7 @@ module Contrast
         end
 
         def exception_control
-          {
+          @_exception_control ||= {
               enable: true?(CONFIG.root.agent.ruby.exceptions.capture),
               status: CONFIG.root.agent.ruby.exceptions.override_status || 403,
               message: CONFIG.root.agent.ruby.exceptions.override_message || Contrast::Utils::ObjectShare::OVERRIDE_MESSAGE
@@ -301,35 +274,25 @@ module Contrast
       # methods for logging state.
       module Logging
         include Contrast::Components::Interface
-        access_component :config
-
-        FALLBACK = STDOUT
-        LOG_INFO_RULE_SETTINGS = 'Current rule settings:'
-        # Utility method to log the current mode of all the rules
-        def log_rule_modes
-          return unless logger&.info?
-
-          logger.info(LOG_INFO_RULE_SETTINGS)
-          PROTECT.rules.each { |k, v| logger.info(".. protect:\t#{ k } (#{ v.mode })") }
-          ASSESS.rules.each  { |k, v| logger.info(".. assess: \t#{ k } (#{ v.enabled? })") }
-        end
+        access_component :config, :logging
 
         ENV_KEYS = %w[HOME PWD RACK_ENV RAILS_ENV RUBY_VERSION GEM_HOME GEM_PATH].cs__freeze
         # Utility method to log some current ruby and rails information from environment
         def log_environment
           return unless logger.info?
 
-          logger.info "AGENT_VERSION=#{ Contrast::Agent::VERSION }"
+          logger.info('Process environment information',
+                      p_id: Process.pid,
+                      pp_id: Process.ppid,
+                      agent_version: Contrast::Agent::VERSION)
           ENV.each do |env_key, env_value|
             env_key = env_key.to_s
             next unless ENV_KEYS.include?(env_key) ||
                 (env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER) &&
                     !env_key.start_with?(Contrast::Components::Config::CONTRAST_ENV_MARKER + 'API'))
 
-            logger.info "#{ env_key }=#{ env_value }"
+            logger.info('Environment settings', key: env_key, value: env_value)
           end
-          logger.info "PARENT_PROCESS_ID=#{ Process.ppid }"
-          logger.info "PROCESS_ID=#{ Process.pid }"
         end
 
         def log_configuration
@@ -337,7 +300,7 @@ module Contrast
 
           loggable = CONFIG.raw.send(:load_config)
           loggable.delete('api')
-          logger.info "LOCAL CONFIGURATION: #{ JSON.pretty_generate(loggable) }"
+          logger.info('Current configuration', configruation: JSON.pretty_generate(loggable))
         end
 
         FRAMEWORKS = %w[rails sinatra grape].cs__freeze
@@ -353,7 +316,9 @@ module Contrast
           return unless logger.debug?
 
           Gem.loaded_specs.each_pair do |_name, gem_spec|
-            logger.debug { "GEM LOADED: #{ gem_spec.name }=#{ gem_spec.version }" }
+            logger.debug('Gem loaded',
+                         gem_name: gem_spec.name,
+                         gem_version: gem_spec.version.to_s)
           end
         end
 
@@ -361,7 +326,9 @@ module Contrast
           gem_spec = Gem.loaded_specs[gem_name]
           return unless gem_spec
 
-          logger.info { "GEM LOADED: #{ gem_spec.name }=#{ gem_spec.version }" }
+          logger.info('Gem loaded',
+                      gem_name: gem_spec.name,
+                      gem_version: gem_spec.version.to_s)
         end
       end
 

data/lib/contrast/agent/logger.rb

@@ -0,0 +1,173 @@
+# Copyright (c) 2020 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+cs__scoped_require 'logger'
+cs__scoped_require 'ougai'
+cs__scoped_require 'singleton'
+
+cs__scoped_require 'contrast/extensions/ruby_core/module'
+cs__scoped_require 'contrast/components/interface'
+
+module Contrast
+  module Ougai
+    # Our decorator for the Ougai logger allowing for timing and with_level
+    # methods.
+    module Logger
+      # Log the message at the given level.
+      #
+      # @param level [String] the name of the method to use. Should be one of
+      #   trace, debug, info, warn, error
+      # @param message [String] the message to log
+      def with_level level, message
+        send(level.to_sym, message)
+      end
+
+      # Log, at the debug level, the action with a message including the time
+      # it took for the wrapped function to complete.
+      #
+      # @param msgs [Array<Object>] the arguments to pass to the logger.
+      #   msgs[0] will be modified to include the elapsed time.
+      # @param block [Block, Proc] the block to execute
+      def debug_with_time *msgs, &block
+        log_with_time(:debug, *msgs, &block)
+      end
+
+      # Log, at the trace level, the action with a message including the time
+      # it took for the wrapped function to complete.
+      #
+      # @param msgs [Array<Object>] the arguments to pass to the logger.
+      #   msgs[0] will be modified to include the elapsed time.
+      # @param block [Block, Proc] the block to execute
+      def trace_with_time *msgs, &block
+        log_with_time(:trace, *msgs, &block)
+      end
+
+      private
+
+      def log_with_time level, *msgs
+        a = Contrast::Utils::Timer.now_ms
+        ret = yield if block_given?
+        z = Contrast::Utils::Timer.now_ms
+        msgs[0] = "#{ msgs[0] }: pid=#{ Process.pid }, elapsed=#{ z - a }ms"
+        send(level, *msgs)
+        ret
+      end
+    end
+  end
+end
+
+module Contrast
+  module Agent
+    # This class functions to serve as a wrapper around our logging, as we need
+    # to be able to dynamically update level based on updates to TeamServer.
+    class Logger
+      include Singleton
+      include Contrast::Components::Interface
+      access_component :config
+
+      DEFAULT_NAME     = 'contrast.log'
+      DEFAULT_LEVEL    = ::Ougai::Logging::Severity::INFO
+      VALID_LEVELS     = ::Ougai::Logging::Severity::SEV_LABEL
+      STDOUT_STR       = 'STDOUT'
+      STDERR_STR       = 'STDERR'
+
+      attr_reader :previous_path,
+                  :previous_level
+
+      def initialize
+        update
+      rescue StandardError => e
+        logger.error('Unable to initialize regular logger in LoggerManager.', e)
+      end
+
+      # Given new settings from TeamServer, update our logging to use the new
+      # file and level, assuming they weren't set by local configuration.
+      #
+      # @param log_file [String] the file to which to log
+      # @param log_level [String] the level at which to log
+      def update log_file = nil, log_level = nil
+        config = CONFIG.root.agent.logger
+
+        config_path  = config.path&.length.to_i.positive? ? config.path : nil
+        config_level = config.level&.length&.positive? ? config.level : nil
+
+        # config > settings > default
+        path        = valid_path(config_path   || log_file)
+        level_const = valid_level(config_level || log_level)
+
+        # don't needlessly recreate logger
+        return if @_logger && (path == previous_path) && (level_const == previous_level)
+
+        @previous_path  = path
+        @previous_level = level_const
+
+        @_logger = build(path: path, level_const: level_const)
+
+        logger.debug('Initialized new contrast agent logger')
+      rescue StandardError => e
+        logger.error('Unable to process update to LoggerManager.', e)
+      end
+
+      def logger
+        @_logger
+      end
+
+      # StringIO is a valid path because it logs directly to a string buffer
+      def write_permission? path
+        return false if path.nil?
+        return true if path.is_a?(StringIO)
+        return File.writable?(path) if File.exist?(path)
+
+        dir_name = File.dirname(File.absolute_path(path))
+        File.writable?(dir_name)
+      end
+
+      private
+
+      def build path: STDOUT_STR, level_const: DEFAULT_LEVEL
+        logger = case path
+                 when STDOUT_STR, STDERR_STR
+                   ::Ougai::Logger.new(Object.cs__const_get(path))
+                 else
+                   ::Ougai::Logger.new(path)
+                 end
+        logger.extend(Contrast::Ougai::Logger)
+        logger.progname = 'Contrast Agent'
+        logger.level = level_const
+        logger.formatter.datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
+        logger
+      end
+
+      def valid_path path
+        path = path.nil? ? Contrast::Utils::ObjectShare::EMPTY_STRING : path
+        return path if path == STDOUT_STR
+        return path if path == STDERR_STR
+
+        path = DEFAULT_NAME if path.empty?
+        if write_permission?(path)
+          path
+        else
+          if File.directory?(path)
+            logger.error('Unable to create log in directory. Writing to standard out instead', path: path)
+          else
+            logger.error('Unable to write to log file. Writing to standard out instead', path: path)
+          end
+
+          STDOUT_STR
+        end
+      end
+
+      def valid_level level
+        level ||= DEFAULT_LEVEL
+        level = level.upcase
+        if VALID_LEVELS.include?(level)
+          Object.cs__const_get("::Ougai::Logging::Severity::#{ level }")
+        else
+          DEFAULT_LEVEL
+        end
+      rescue StandardError
+        DEFAULT_LEVEL
+      end
+    end
+  end
+end

data/lib/contrast/agent/middleware.rb

@@ -7,10 +7,11 @@ cs__scoped_require 'rack'
 
 cs__scoped_require 'contrast/security_exception'
 cs__scoped_require 'contrast/utils/object_share'
-cs__scoped_require 'contrast/utils/gemfile_reader'
 cs__scoped_require 'contrast/agent/service_heartbeat'
 cs__scoped_require 'contrast/components/interface'
 cs__scoped_require 'contrast/utils/heap_dump_util'
+cs__scoped_require 'contrast/agent/request_handler'
+cs__scoped_require 'contrast/agent/static_analysis'
 
 cs__scoped_require 'contrast/utils/timer'
 cs__scoped_require 'contrast/utils/freeze_util'
@@ -19,331 +20,167 @@ cs__scoped_require 'contrast/utils/service_response_util'
 
 module Contrast
   module Agent
-    # This class allows the Agent to plug into the Rack middleware stack,
-    # providing hooks to relevant application events, such as request start and
-    # application code.
+    # This class allows the Agent to plug into the Rack middleware stack. When the
+    # application is first started, we initialize ourselves as a rack middleware
+    # inside of #initialize. Afterwards, we process each http request and response
+    # as it goes through the middleware stack inside of #call.
     class Middleware
       include Contrast::Components::Interface
-      access_component :contrast_service, :logging, :agent, :analysis, :config, :scope
+      access_component :agent, :logging, :scope
 
       attr_reader :app
 
-      LOG_DEBUG_MIDDLEWARE_ENV     = 'middleware: log environment'
-      LOG_DEBUG_MIDDLEWARE_LIB     = 'middleware: instrument shared libraries'
-      LOG_DEBUG_MIDDLEWARE_START   = 'middleware: startup agent'
-      LOG_DEBUG_MIDDLEWARE_SERVICE = 'middleware: starting service'
-
-      # allows the Agent to function as a middleware
+      # Allows the Agent to function as a middleware. We perform all our one-time whole-app routines in here
+      # since we're only going to be initialized a single time. Our initializatoin order is:
+      # - log environment, configuration, and all libraries
+      # - start the service sending thread, responsible for sending and processing messages
+      # - start the heartbeat thread, which triggers service startup
+      # - start instrumenting libraries and do a 'catchup' patch for everything we didn't see get loaded
+      # - enable TracePoint, which handles all class loads and required instrumentation going forward
       #
       # @param app [Rack::Application] the application to be instrumented
       # @param _legacy_param [nil] was a flag we no longer need, but Sinatra may call it
-      def initialize app, _legacy_param = nil
-        @app = app
 
+      def initialize app, _legacy_param = nil
+        @app = app # THIS MUST BE FIRST AND ALWAYS SET!
         # TODO: RUBY-545 nomenclature here needs to be updated.
-        #   enabled/initialized are really only reflective of whether we were
-        #   able to parse the config, which is the bare minimum for the agent
-        #   to do anything.
+        #   enabled/initialized are really only reflective of whether we were able to parse the config,
+        #   which is the bare minimum for the agent to do anything.
         unless AGENT.enabled?
-          logger.error('Contrast middleware initializer detected an early-stage setup failure (likely config parse).  Disabling.')
-          # ensure the agent is disabled (probably redundant)
-          AGENT.disable!
+          logger.error(
+              'Contrast middleware initializer detected an early-stage setup failure (likely config parse). Disabling.')
+          AGENT.disable! # ensure the agent is disabled (probably redundant)
           return
         end
+        agent_startup_routine
+      end
 
-        logger.debug_with_time(LOG_DEBUG_MIDDLEWARE_ENV) do
+      def agent_startup_routine
+        logger.debug_with_time('middleware: log environment') do
           settings.log_environment
           settings.log_configuration
           settings.log_specific_libraries
           settings.log_all_libraries
         end
 
-        # Initialization order should be:
-        # - start separate service sending threads
-        # - start heartbeat thread, which triggers service startup
-        # - start patching to achieve instrumentation
-
-        logger.debug_with_time(LOG_DEBUG_MIDDLEWARE_SERVICE) do
-          # get threads ready to poll for messages on the queue
-          run_service_sender_thread
-
-          # sends first message to service, which triggers service startup
-          run_service_heartbeat_thread
+        logger.debug_with_time('middleware: starting service') do
+          run_service_threads
         end
 
-        # Default instrumentation
-        logger.debug_with_time(LOG_DEBUG_MIDDLEWARE_LIB) do
-          AGENT.run_instrumentation
+        logger.debug_with_time('middleware: instrument shared libraries and patch') do
+          instrument_and_patch
         end
 
+        AGENT.enable_tracepoint
         Contrast::Agent::AtExitHook.exit_hook
       end
 
-      def settings
-        Contrast::Agent::FeatureState.instance
-      end
-
-      LOG_DEBUG_MIDDLEWARE_START_CALL = 'middleware: startup agent (call)'
-      # def _call env
+      # This is where we're hooked into the middleware stack. If the agent is enabled, we're ready
+      # to do some processing on a per request basis. If not, we just pass the request along to the
+      # next middleware in the stack.
+      #
+      # @param env [Hash] the various variables stored by this and other Middlewares to know the state
+      #   and values of this Request
+      # @return [Array,Rack::Response] the Response of this and subsequent Middlewares to be passed back
+      #   to the user up the Rack framework.
       def call env
         Contrast::Utils::HeapDumpUtil.run
 
         if AGENT.enabled?
-          response = call_with_agent(env)
-          with_contrast_scope { do_static_analysis_catchup }
-          response
+          Contrast::Agent::StaticAnalysis.catchup
+          call_with_agent(env)
         else
-          call_without_agent(env)
+          app.call(env)
         end
       end
 
-      def call_without_agent env
-        app.call(env)
-      end
+      private
 
-      REQUEST_PATH = 'REQUEST_PATH'
-      LOG_DEBUG_REQUEST = 'HTTP request cycle'
+      # This is where we process each request we intercept as a middleware. We make the request context
+      # available globally so that it can be accessed from anywhere. A RequestHandler object is made
+      # for each request, which handles prefilter and postfilter operations.
       def call_with_agent env
-        rack_request = generate_request(env)
+        framework_request = Contrast::Agent.framework_manager.retrieve_request(env)
+        context = Contrast::Agent::RequestContext.new(framework_request)
+        response = nil
 
-        context = Contrast::Agent::RequestContext.new(rack_request, true) # 'true' here is legacy, by the time we're here, we're ready
-
-        # default response
-        streaming = false
         # make the context available for the lifecycle of this request
         Contrast::Agent::REQUEST_TRACKER.lifespan(context) do
-          # record entire time
-          logger.debug_with_time(LOG_DEBUG_REQUEST) do
-            # process filters that can short circuit application processing
+          request_handler = Contrast::Agent::RequestHandler.new(context)
+
+          logger.debug_with_time('HTTP request cycle') do
+            # prefilter sequence
             with_contrast_scope do
               context.service_extract_request
-              prefilter(context)
+              request_handler.ruleset.prefilter
             end
 
-            # run application by passing request down the Rack chain using
-            # the original env
-            response = application_code(env)
+            response = application_code(env) # pass request down the Rack chain with original env
 
-            # if streaming, allow for early return with application response
-            streaming = possibly_streaming?(env)
-            if streaming
-              with_contrast_scope { postfilter(context, streaming) }
-              return response
+            # postfilter sequence
+            with_contrast_scope do
+              context.extract_after(response) # update context with final response information
+
+              if Contrast::Agent.framework_manager.streaming?(env)
+                context.reset_activity
+                request_handler.stream_safe_postfilter
+              else
+                request_handler.ruleset.postfilter
+                # return response stored in the context in case any postfilter rules updated the response data
+                response = context.response&.rack_response || response
+                request_handler.send_activity_messages
+              end
             end
-
-            # update context with final response information
-            context.extract_after(response)
-
-            # process filters that look at response headers and body
-            with_contrast_scope { postfilter(context) }
           end
         end
 
-        # return the response stored in the context in case any postfilter rules
-        # updated the response data
-        context&.response&.rack_response || response
-
-      # handle security exception
+        response
       rescue StandardError => e
         handle_exception(e)
-      ensure
-        begin
-          handle_ensure(context, streaming)
-        rescue Exception => e # rubocop:disable Lint/RescueException
-          logger.error(e, 'Exception raised while flushing messages to Contrast service!')
-          raise
-        end
       end
 
-      LOG_WARN_FRAMEWORK_PARSE = 'Unable to generate framework specific request - falling back to Rack'
-      # Given the rack environment of this call, generate a framework specific
-      # request object to bind to this context. In the event that multiple
-      # supported frameworks are defined OR we cannot determine the framework
-      # currently in use or there is an exception during request generation, we
-      # will fall back on Rack::Request object
-      def generate_request env
-        rails_defined = defined?(Rails)
-        sinatra_defined = defined?(Sinatra) && defined?(Sinatra::Request)
-
-        if rails_defined && !sinatra_defined
-          # code from /lib/action_cable/connection/base
-          environment = Rails.application.env_config.merge(env) if defined?(Rails.application) && Rails.application
-          ActionDispatch::Request.new(environment || env)
-        # !defined? currently redundant, won't be if we have more frameworks
-        elsif sinatra_defined && !rails_defined
-          Sinatra::Request.new(env)
-        else # many OR none
-          Rack::Request.new(env)
-        end
-      rescue StandardError => e
-        logger.warn(e, LOG_WARN_FRAMEWORK_PARSE)
-        Rack::Request.new(env)
-      end
-
-      LOG_ERROR_STREAM_CHECK = 'Unable to check for streaming'
-      ACTION_CONTROLLER_INSTANCE = 'action_controller.instance'
-      # First check to see if an action could potentially be streaming a response
-      def possibly_streaming? env
-        return false unless defined?(ActionController::Live)
-
-        env[ACTION_CONTROLLER_INSTANCE].cs__class.included_modules.include?(ActionController::Live)
-      rescue StandardError => e
-        logger.warn(LOG_ERROR_STREAM_CHECK, e)
-      end
-
-      LOG_ERROR_ENSURE = 'Context not defined in middleware ensure.'
-      # Send a server activity message and an application activity message
-      # and return response
-      def handle_ensure context, streaming
-        if context
-          logger.debug('Middleware request lifecycle complete; flushing context activity to Contrast service.')
-          Contrast::Utils::GemfileReader.instance.generate_library_usage(context.activity)
-          [context.server_activity, context.activity, context.observed_route].each do |message|
-            CONTRAST_SERVICE.send_message message
-          end
-        else
-          logger.error(LOG_ERROR_ENSURE)
+      def application_code env
+        logger.trace_with_time('application') do
+          app.call(env)
         end
-        return unless streaming
-
-        context.reset_activity
+      rescue Contrast::SecurityException => e
+        logger.trace('Security Exception raised during application lifecycle to prevent an attack', e)
+        raise e
       end
 
       SECURITY_EXCEPTION_MARKER = 'Contrast::SecurityException'
-      LOG_RETHROW_ERROR = 'Re-throwing original error'
       # We're only going to suppress SecurityExceptions indicating a blocked attack.
       # And, only if the config.agent.ruby.exceptions.capture? is set
       def handle_exception exception
         if exception.is_a?(Contrast::SecurityException) ||
               exception.message&.include?(SECURITY_EXCEPTION_MARKER)
 
-          exception_control = Contrast::Agent::FeatureState.instance.exception_control
+          exception_control = settings.exception_control
           raise exception unless exception_control[:enable]
 
           [exception_control[:status], {}, [exception_control[:message]]]
         else
-          # Log original re-raise
-          logger.debug(exception, LOG_RETHROW_ERROR)
+          logger.debug('Re-throwing original error', exception)
           raise exception
         end
       end
 
-      LOG_DEBUG_PREFILTER = 'prefilter'
-      LOG_ERROR_PREFILTER = 'Unexpected exception during prefilter'
-      # Iterate through rules that only depend upon the request object.
-      def prefilter context
-        return unless context.app_loaded?
-
-        logger.debug_with_time(LOG_DEBUG_PREFILTER) do
-          prefilter_assess(context) if ASSESS.enabled? && context.analyze_request?
-          prefilter_protect(context) if PROTECT.enabled?
-        end
-      rescue Contrast::SecurityException => e
-        logger.warn("RASP threw security exception in prefilter: exception=#{ e.message }")
-        raise e
-      rescue StandardError => e
-        logger.error(LOG_ERROR_PREFILTER, e)
-      end
-
-      def prefilter_assess context
-        rules = ASSESS.rules
-        logger.debug("Assess: Running #{ rules.length } rules in prefilter.")
-        prefilter_rules(rules, context)
-      end
-
-      def prefilter_protect context
-        rules = PROTECT.rules
-        logger.debug("Protect: Running #{ rules.length } rules in prefilter.")
-        prefilter_rules(rules, context)
-      end
-
-      def prefilter_rules rules, context
-        rules.each do |_, rule|
-          rule.prefilter(context)
-        end
-      end
-
-      LOG_DEBUG_APPLICATION = 'application'
-      # Run the next level of the Rack stack as normal
-      def application_code env
-        logger.debug_with_time(LOG_DEBUG_APPLICATION) do
-          app.call(env)
-        end
-      rescue Contrast::SecurityException => e
-        logger.info("RASP threw security exception in application code: exception=#{ e.message }")
-        raise e
-      end
-
-      LOG_DEBUG_POSTFILTER = 'postfilter'
-      LOG_ERROR_POSTFILTER = 'Unexpected exception during postfilter'
-      # Iterate through rules that depend on the full response object
-      def postfilter context, streaming = false
-        return unless context.app_loaded?
-
-        logger.debug_with_time(LOG_DEBUG_POSTFILTER) do
-          if ASSESS.enabled? && context.analyze_response?
-            logger.debug("Assess:\tRunning #{ ASSESS.rules.length } rules in postfilter.")
-            postfilter_rules(ASSESS.rules, context, streaming)
-          end
-
-          if PROTECT.enabled?
-            logger.debug("Protect:\tRunning #{ PROTECT.rules.length } rules in postfilter.")
-            postfilter_rules(PROTECT.rules, context, streaming)
-          end
-        end
-      rescue Contrast::SecurityException => e
-        logger.warn("RASP threw security exception: exception=#{ e.message }")
-        raise e
-      rescue StandardError => e
-        logger.error(LOG_ERROR_POSTFILTER, e)
-      end
-
-      # Iterate through a list of rules with the current context and the full response body
-      def postfilter_rules rules, context, streaming
-        rules.each do |_, rule|
-          if !streaming || rule.stream_safe?
-            rule.postfilter(context)
-          else
-            logger.debug("Skipping rule: #{ rule.name } in streamed response.")
-          end
-        end
-      end
-
-      def run_service_heartbeat_thread
-        # Rspec stubs over this method for simplicity's sake in testing.
-        # Take care if you refactor this back into #initialize.
-        Contrast::Agent::ServiceHeartbeat.new.start
+      def settings
+        Contrast::Agent::FeatureState.instance
       end
 
-      def run_service_sender_thread
-        # Rspec stubs over this method for simplicity's sake in testing.
-        # Take care if you refactor this back into #initialize.
+      # Rspec stubs over these methods for simplicity's sake in testing
+      def run_service_threads
         Contrast::Utils::ServiceSenderUtil.start
+        Contrast::Agent::ServiceHeartbeat.new.start
       end
 
-      LOG_DEBUG_MW_INV = 'middleware: send inventory'
-      LOG_WARN_STATIC_ANALYSIS = 'Unable to run post-initialization static analysis'
-      # this is memoized, should only be meaningful after the first agented
-      # HTTP request
-      def do_static_analysis_catchup
-        @_do_static_analysis_catchup ||= begin
-                                           # Everything in here should be asynchronous, as we need to return
-                                           # the HTTP response from middleware ASAP.
-
-                                           # Review already-loaded inventory
-                                           logger.debug_with_time('initializer: report loaded gemset') do
-                                             Contrast::Utils::GemfileReader.instance.map_loaded_classes
-                                           end
-
-                                           # Report already-loaded inventory
-                                           logger.debug_with_time(LOG_DEBUG_MW_INV) do
-                                             settings.send_inventory_message
-                                           end
-
-                                           true
-                                         end
-      rescue StandardError => e
-        logger.warn(LOG_WARN_STATIC_ANALYSIS, e)
+      # All this method chain does anymore is load the Thread patch that
+      # propagates request contexts.  That can go away RUBY-700.
+      SHARED_LIBRARIES = %w[contrast/extensions/ruby_core/thread].cs__freeze
+      def instrument_and_patch
+        SHARED_LIBRARIES.each { |lib| settings.instrument(lib) }
+        Contrast::Agent::Patching::Policy::Patcher.patch
       end
     end
   end