immunio 0.15.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1c331edca1ddff7a5fcb72c6b6c28242157ff552
+  data.tar.gz: 23ceaa2748c24eae7a80d952278887361aab6d9f
+SHA512:
+  metadata.gz: 2de2e6af290768ab138e0ad91a5ffa1dca0e3b80011c0eb45c4ff5b34241d2ef15911cb7e91a24579dee7c02babb8b688ff491516d81ccbffeec2be888d56336
+  data.tar.gz: c45c6cb2bcd16d4d317a444100d90713229c1599e7920c9d7cd203e0697dda0eca3d366cfed0d18f4cb0742ccba4a96ce86b01d51b1eeb485c9256dfc3811f8b

data/LICENSE

@@ -0,0 +1,234 @@
+This product includes content covered by the following license:
+Copyright (C) 1994-2008 Lua.org, PUC-Rio.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+This product includes content covered by the following license:
+Copyright (C) 2008-2012 Mike Pall.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+This product includes content covered by the following license:
+Copyright 2012, 2013, 2014
+Nick Galbreath -- nickg [at] client9 [dot] com
+http://www.client9.com/projects/libinjection/
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+  Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+  Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+  Neither the name of libinjection nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+This product includes content covered by the following license:
+Copyright (C) 1994–2015 Lua.org, PUC-Rio.
+
+Permission is hereby granted, free of charge,
+to any person obtaining a copy of this software and
+associated documentation files (the "Software"),
+to deal in the Software without restriction,
+including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software,
+and to permit persons to whom the Software is
+furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice
+shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+This product includes content covered by the following license:
+Copyright (C) 2012 Salvatore Sanfilippo.  All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+This product includes content covered by the following license:
+Copyright (c) 2007-2015 Mitchell
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+This product includes content covered by the following license:
+Copyright (c) 2012, Daniel Lindsley
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+* Neither the name of the base64 nor the names of its contributors may be
+  used to endorse or promote products derived from this software without
+  specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+This product includes content covered by the following license:
+Copyright (c) 2012 codingow.com
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+
+
+All other components of this product are
+Copyright (c) 2015 Immunio, Inc.  All rights reserved.
+
+Certain inventions disclosed in this file may be claimed within
+patents owned or patent applications filed by Immunio, Inc. or third
+parties.
+
+Subject to the terms of this notice, Immunio grants you a
+nonexclusive, nontransferable license, without the right to
+sublicense, to (a) install and execute one copy of these files on any
+number of workstations owned or controlled by you and (b) distribute
+verbatim copies of these files to third parties.  As a condition to the
+foregoing grant, you must provide this notice along with each copy you
+distribute and you must not remove, alter, or obscure this notice. All
+other use, reproduction, modification, distribution, or other
+exploitation of these files is strictly prohibited, except as may be set
+forth in a separate written license agreement between you and Immunio.
+The terms of any such license agreement will control over this
+notice.  The license stated above will be automatically terminated and
+revoked if you exceed its scope or violate any of the terms of this
+notice.
+
+This License does not grant permission to use the trade names,
+trademarks, service marks, or product names of Immunio, except as
+required for reasonable and customary use in describing the origin of
+this file and reproducing the content of this notice.  You may not
+mark or brand this file with any trade name, trademarks, service
+marks, or product names other than the original brand (if any)
+provided by Immunio.
+
+Unless otherwise expressly agreed by Immunio in a separate written
+license agreement, these files are provided AS IS, WITHOUT WARRANTY OF
+ANY KIND, including without any implied warranties of MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE, TITLE, or NON-INFRINGEMENT.  As a
+condition to your use of these files, you are solely responsible for
+such use. Immunio will have no liability to you for direct,
+indirect, consequential, incidental, special, or punitive damages or
+for lost profits or data.

data/README.md

@@ -0,0 +1,147 @@
+# Immunio Ruby Agent
+
+## Installation
+
+Add the private Immunio Gemfury repo and the gem itself to your Gemfile:
+
+```ruby
+gem 'immunio', source: 'https://6kxysjCKxsZz3uR6wgas@gem.fury.io/immunio/'
+```
+
+Run Bundler to install the gem:
+
+```sh
+bundle install
+```
+
+Note that if your application is not using Bundler, require the Immunio package:
+
+```ruby
+require 'immunio'
+```
+
+## Configuration
+
+The agent key and secret can be configured via the `IMMUNIO_KEY` and `IMMUNIO_SECRET` environment variables.
+
+Optionally, a configuration file can be provided in *config/immunio.yml* which will take precedence over the environment variables:
+
+```yaml
+key: "my-key"
+secret: "my-secret"
+```
+
+The Immunio agent is enabled by default in all rails environments. It can be enabled in production only in your Gemfile:
+
+```ruby
+gem immunio', group: :production
+```
+
+You can also modify the secret and key for different environments to report to different apps, or you can disable the agent by setting `agent_enabled: false` in the configuration or `IMMUNIO_AGENT_ENABLED=0` in the environment.
+
+## Handling blocked requests
+
+By default, Immunio will return a plain text *403 Forbidden* response whenever it blocks a request for security reasons.
+
+To customize this behavior, use the `Immunio.blocked_app` option, which should be a valid [Rack application](http://rack.github.io/):
+
+```ruby
+Immunio.blocked_app = -> env do
+  [
+    403,
+    { 'Content-Type' => 'text/html' },
+    ActionController::DataStreaming::FileBody.new('public/403.html')
+  ]
+end
+```
+
+## Authentication API
+
+If you're using [Devise](https://github.com/plataformatec/devise) or [Authlogic](https://github.com/binarylogic/authlogic), Immunio will automatically hook into your authentication system to protect you against attacks.
+
+If you're not using one of the above frameworks, you will need to manually tell Immunio when authentication occurs. Use the following methods to do so.
+
+- After a user logs in: `Immunio.login user`
+- After a failed login attempt: `Immunio.failed_login`
+- After a user logs out: `Immunio.logout`
+- After the current user is changed (or set): `Immunio.set_user`
+- After a user requests a password reset: `Immunio.password_reset`
+- After a failed requests for resetting a password: `Immunio.failed_password_reset`
+
+**Note:** `Immunio.set_user` should be called for every request where user data is available, not just when authentication mechanisms are used.
+
+These methods take an options hash with the following information:
+
+* user_id: String or Number
+* username: String
+* email: String
+* user_record: ActiveRecord object for the user
+* reason: String (for failures)
+
+Here's an example:
+
+```ruby
+class ApplicationController
+  def current_user=(user)
+    Immunio.set_user user_record: user
+    # Store user ...
+  end
+end
+
+class SessionsController < ApplicationController
+  # POST /login
+  def create
+    if user = User.authenticate(params[:user])
+      Immunio.login user_record: user
+      self.current_user = user
+      # ...
+    else
+      Immunio.failed_login username: params[:user]
+      # ...
+    end
+  end
+
+  # DELETE /logout
+  def destroy
+    Immunio.logout user_record: current_user
+    # ...
+  end
+end
+```
+
+## Support
+
+- Ruby 2.0 and up
+- Rails 3.2 to 4.2
+
+## Building the gem
+
+To build the pure Ruby gem:
+
+```sh
+$ rake gem
+```
+
+To build with bundled pre-compiled C extensions:
+
+```sh
+$ rake native gem
+```
+
+For cross-compilation, see https://github.com/luislavena/rake-compiler#cross-compilation---the-future-is-now.
+
+## Testing
+
+To run tests (under Rails 4.2):
+
+```sh
+$ rake test
+```
+
+To run tests under Rails 3.2:
+
+```sh
+$ export RAILS_VERSION=3.2
+$ bundle update rails
+$ rake test
+```

data/bin/immunio

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'immunio/cli'
+
+Immunio::CLI.start

data/lib/immunio.rb

@@ -0,0 +1,29 @@
+module Immunio
+  DIR = File.expand_path(File.dirname(__FILE__))
+
+  def self.activate!
+    require_relative "immunio/agent"
+    require_relative "immunio/authentication"
+
+    agent # Force load agent
+  end
+
+  # Load plugins (after agent is loaded)
+  def self.activate_plugins!
+    require_relative "immunio/plugins/action_view"
+    # NOTE immunio/plugins/active_record is loaded after ActiveRecord is configured in rails.rb
+    require_relative "immunio/plugins/action_dispatch"
+    require_relative "immunio/plugins/csrf"
+    require_relative "immunio/plugins/io"
+    require_relative "immunio/plugins/devise"
+    require_relative "immunio/plugins/warden"
+    require_relative "immunio/plugins/authlogic"
+    require_relative "immunio/plugins/redirect"
+    require_relative "immunio/plugins/eval"
+
+    # Load and activate Rails engine
+    require_relative "immunio/rails"
+  end
+end
+
+Immunio.activate!

data/lib/immunio/agent.rb

@@ -0,0 +1,260 @@
+require "set"
+require "yaml"
+
+require_relative "channel"
+require_relative "processor"
+
+
+
+module Immunio
+  @agent = nil
+
+  # Plugins that are enabled by default. Override using the `plugins_enabled`
+  # and `plugins_disabled` configuration settings.
+  DEFAULT_PLUGINS = ["xss", "file_io", "redirect", "sqli", "eval", "shell_command"]
+
+  CONFIG_FILENAME = "immunio.yml"
+
+  class Agent
+    include ActiveSupport::Configurable
+
+    # These configuration accessors will be available via the `config` method.
+    # NB: :key must be accessed using config[:key] and not config.key
+    config_accessor :key, :secret
+
+    config_accessor :hello_url
+
+    config_accessor :log_file
+    config_accessor :log_level
+    config_accessor :log_timings
+    config_accessor :log_context_data
+
+    config_accessor :http_timeout
+
+    config_accessor :max_send_queue_size
+    config_accessor :max_report_interval
+    config_accessor :min_report_size
+    config_accessor :max_report_size
+    config_accessor :max_report_bytes
+
+    # These two values control the exponential backoff behaviour during
+    # communication failure.
+    config_accessor :initial_delay_ms
+    config_accessor :max_delay_ms
+
+    # How long should the Agent wait for the Immunio Service to provide an
+    # initial ruleset. Any "Falsy" value means don't wait at all.
+    config_accessor :ready_timeout
+
+    # Control which plugins will be enabled on startup.
+    # `plugins_active` contains the default list of plugins. Other plugins
+    # can be added to the list by putting them in `plugins_enabled` or
+    # removed from the list by adding the to `plugins_disabled`.
+    config_accessor :plugins_active
+    config_accessor :plugins_disabled
+    config_accessor :plugins_enabled
+
+    # Set to `true` to enable automatic reloading of hook handlers from files.
+    config_accessor :dev_mode
+
+    # Set to `true` to enable lua debugging urls etc.
+    config_accessor :debug_mode
+
+    # Set to `false` to disable the agent.
+    config_accessor :agent_enabled
+
+    # Set to an array of safe methods for creating ActiveSupport::SafeBuffers
+    # with script tags.
+    config_accessor :safe_script_tag_contexts
+
+    # Any settings specified in vm_data are used to override agent
+    # configuration returned from the server. Mostly used for debugging
+    # purposes.
+    config_accessor :vm_data
+
+    def initialize
+      Immunio.logger.info "Initializing agent version #{VERSION} for process #{Process.pid}"
+
+      config.key = config.secret = "-default-"
+      config.hello_url = "https://agent.immun.io/"
+      config.log_file = "log/immunio.log"
+      config.log_level = "info"
+      config.log_timings = false
+      config.log_context_data = false
+      config.http_timeout = 30 # seconds
+      config.max_send_queue_size = 500 # messages
+      config.max_report_interval = 10 # seconds
+      config.min_report_size = 25 # messages
+      config.max_report_size = 50 # messages
+      config.max_report_bytes = 1500000 # Just shy of 1.5 megs
+      config.initial_delay_ms = 100  # milliseconds
+      config.max_delay_ms = 10 * 60 * 1000  # milliseconds
+      config.dev_mode = false
+      config.debug_mode = false
+      config.ready_timeout = 0
+      # Default list of active plugins
+      config.plugins_active = DEFAULT_PLUGINS.to_set
+      # Default to empty lists for enabled and disabled
+      config.plugins_enabled = []
+      config.plugins_disabled = []
+      config.agent_enabled = true
+      config.safe_script_tag_contexts = []
+      config.vm_data = {}
+
+      # Be sure all config attributes have a type before this call:
+      load_config
+
+      Immunio::switch_to_real_logger(config.log_file, config.log_level)
+
+      if !config.agent_enabled then
+        Immunio.logger.info "Agent disabled in config"
+        return
+      end
+
+      @vmfactory = VMFactory.new(config[:key], config.secret, config.dev_mode,
+                                 config.debug_mode)
+
+      @channel = Channel.new(config)
+      @channel.on_sending do
+        @vmfactory.current_state
+      end
+
+      # Link things together. The vmfactory needs to know about updates
+      # to the code and data, and the channel needs to know when everything
+      # is up to date.
+      have_code = config.dev_mode
+      have_data = false
+      @channel.on_message do |message|
+        case message[:type]
+          when "engine.vm.code.update"
+            # Don't update code in dev_mode
+            unless config.dev_mode
+              @vmfactory.update_code message[:version], message[:code]
+              have_code = true
+              if have_data
+                @channel.set_ready
+              end
+            end
+          when "engine.vm.data.update"
+            @vmfactory.update_data message[:version], message[:data]
+            have_data = true
+            if have_code
+              @channel.set_ready
+            end
+        end
+      end
+
+      @processor = Processor.new(@channel, @vmfactory, config)
+    end
+
+    def load_config
+      Immunio.logger.debug "Default configuration: #{config}"
+
+      # Try loading file from some standard locations. First match is used.
+      locations = []
+      locations << Rails.root.join("config", CONFIG_FILENAME) if defined?(Rails.root) && Rails.root
+      locations << File.join("config", CONFIG_FILENAME)
+
+      locations.each do |location|
+        Immunio.logger.debug "Trying to find config file at #{location}"
+        begin
+          realpath = File.realpath(location) # Raises exception if file doesn't exist
+          Immunio.logger.debug "Found config file at #{realpath}"
+          options = YAML.load_file(realpath).symbolize_keys
+          config.update options
+          Immunio.logger.debug "Configuration after loading from file: #{config}"
+          break
+        rescue SystemCallError => e
+          Immunio.logger.debug "Failed to load config: #{e}"
+        end
+      end
+
+      # Load private config from env vars.
+      # Set the type of the same as set in initialize
+      config.keys.each do |key|
+        if ENV["IMMUNIO_#{key.upcase}"] then
+          new_value = ENV["IMMUNIO_#{key.upcase}"]
+          case config[key]
+          when String
+            config[key] = new_value
+          when Fixnum
+            config[key] = Integer(new_value)
+          when TrueClass, FalseClass
+            config[key] = !(new_value =~ (/^(true|t|yes|y|1)$/i)).nil?
+          when Array
+            config[key] = new_value.split(/[\s,]+/)
+          when Set
+            config[key] = new_value.split(/[\s,]+/).to_set
+          else
+            raise ArgumentError, "Unknown ENV conversion for #{config[key].class}"
+          end
+        end
+      end
+
+      Immunio.logger.debug "Configuration after evaluating env vars: #{config}"
+
+      # Remove any requested plugins, then add any requested plugins.
+      config.plugins_active.subtract(config.plugins_disabled)
+      config.plugins_active.merge(config.plugins_enabled)
+      Immunio.logger.info "Active plugins: #{config.plugins_active.to_a}"
+
+    end
+
+    def plugin_enabled?(plugin)
+      # Check if the specified `plugin` is enabled based on the Agent config.
+      config.plugins_active.member?(plugin)
+    end
+
+    def new_request(*args)
+      @processor.new_request(*args)
+    end
+
+    def finish_request(*args)
+      @processor.finish_request(*args)
+    end
+
+    def run_hook(*args)
+      @processor.run_hook(*args) if defined? @processor
+    end
+
+    def run_hook!(*args)
+      @processor.run_hook!(*args) if defined? @processor
+    end
+
+    def environment=(environment)
+      @processor.environment = environment
+    end
+  end
+
+  AGENT_INIT_MUTEX = Mutex.new
+  def self.agent
+    return @agent if @agent
+
+    AGENT_INIT_MUTEX.synchronize do
+      @agent = Agent.new
+      activate_plugins! if @agent.agent_enabled
+    end
+
+    @agent
+  end
+
+  def self.new_request(*args)
+    agent.new_request(*args)
+  end
+
+  def self.finish_request(*args)
+    agent.finish_request(*args)
+  end
+
+  def self.run_hook(*args)
+    agent.run_hook(*args)
+  end
+
+  def self.run_hook!(*args)
+    # Don't run hooks if we're starting up the agent and opening a log
+    agent.run_hook!(*args) unless !@agent && args[0] == "io" && args[1] == "open"
+  end
+
+  # Initialize startup logger now!
+  create_startup_logger
+end