sqreen-alt 1.10.0

data/lib/sqreen/frameworks/rails.rb

@@ -0,0 +1,148 @@
+# frozen_string_literal: true
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/frameworks/generic'
+require 'sqreen/middleware'
+
+module Sqreen
+  module Frameworks
+    # Rails related framework code
+    class RailsFramework < GenericFramework
+      DB_MAPPING = {
+        'SQLite' => :sqlite,
+        'MySQL' => :mysql,
+        'Mysql2' => :mysql,
+      }.freeze
+
+      def framework_infos
+        {
+          :framework_type => 'Rails',
+          :framework_version => Rails::VERSION::STRING,
+          :environment => Rails.env.to_s,
+        }
+      end
+
+      def development?
+        Rails.env.development?
+      end
+
+      def db_settings(options = {})
+        adapter = options[:connection_adapter]
+        return nil unless adapter
+
+        begin
+          adapter_name = adapter.adapter_name
+        rescue
+          # FIXME: we may want to log that
+          Sqreen.log.warn 'cannot find ADAPTER_NAME'
+          return nil
+        end
+        db_type = DB_MAPPING[adapter_name]
+        db_infos = { :name => adapter_name }
+        [db_type, db_infos]
+      end
+
+      def ip_headers
+        ret = super
+        remote_ip = rails_client_ip
+        ret << ['action_dispatch.remote_ip', remote_ip] unless remote_ip.nil?
+        ret
+      end
+
+      # What is the current client IP as seen by rails
+      def rails_client_ip
+        req = request
+        return unless req && req.env
+        remote_ip = req.env['action_dispatch.remote_ip']
+        return unless remote_ip
+        # FIXME: - this exist only since Rails 3.2.1
+        # http://apidock.com/rails/v3.2.1/ActionDispatch/RemoteIp/GetIp/calculate_ip
+        return remote_ip.calculate_ip if remote_ip.respond_to?(:calculate_ip)
+        # This might not return the same value as calculate IP
+        remote_ip.to_s
+      end
+
+      def request_id
+        req = request
+        return super unless req
+        req.env['action_dispatch.request_id'] || super
+      end
+
+      def root
+        return nil unless @application
+        @application.root
+      end
+
+      # Register a new initializer in rails to ba called when we are starting up
+      class Init < ::Rails::Railtie
+        def self.startup
+          initializer 'sqreen.startup' do |app|
+            app.middleware.insert_before(Rack::Runtime, Sqreen::Middleware)
+            app.middleware.insert_after(ActionDispatch::DebugExceptions, Sqreen::RailsMiddleware)
+            app.middleware.insert_after(ActionDispatch::DebugExceptions, Sqreen::ErrorHandlingMiddleware)
+            yield app
+          end
+        end
+      end
+
+      def on_start(&block)
+        @calling_pid = Process.pid
+        Init.startup do |app|
+          hook_rack_request(app.class, &block)
+          app.config.after_initialize do
+            yield self
+          end
+        end
+      end
+
+      def prevent_startup
+        res = super
+        return res if res
+        run_in_test = sqreen_configuration.get(:run_in_test)
+        return :rails_test if !run_in_test && (Rails.env.test? || Rails.env.cucumber?)
+
+        # SQREEN-880 - prevent Sqreen startup on Sidekiq workers
+        return :sidekiq_cli if defined?(Sidekiq::CLI)
+
+        # Prevent Sqreen startup on rake tasks - unless this is a Sqreen test
+        return :rake if !run_in_test && $0.end_with?('rake')
+
+        return nil unless defined?(Rails::CommandsTasks)
+        return nil if defined?(Rails::Server)
+        return :rails_console    if defined?(Rails::Console)
+        return :rails_dbconsole  if defined?(Rails::DBConsole)
+        return :rails_generators if defined?(Rails::Generators)
+        nil
+      end
+
+      def instrument_when_ready!(instrumentor, rules)
+        instrumentor.instrument!(rules, self)
+      end
+
+      def rails_params
+        self.class.rails_params(request)
+      end
+
+      def self.rails_params(request)
+        return nil unless request
+        other = request.env['action_dispatch.request.parameters']
+        return nil unless other
+        # Remove Rails created parameters:
+        other = other.dup
+        other.delete :action
+        other.delete :controller
+        other
+      end
+
+      P_OTHER = 'other'.freeze
+
+      def self.parameters_from_request(request)
+        return {} unless request
+        ret = super(request)
+        ret[P_OTHER] = rails_params(request)
+        ret
+      end
+    end
+  end
+end

data/lib/sqreen/frameworks/rails3.rb

@@ -0,0 +1,36 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/frameworks/rails'
+
+module Sqreen
+  module Frameworks
+    # Handle Rails 3 specifics
+    class Rails3Framework < RailsFramework
+      def root
+        Rails.root
+      end
+
+      def prevent_startup
+        res = super
+        return res if res
+        return :rails_console if defined?(Rails::Console)
+        nil
+      end
+
+      def instrument_when_ready!(instrumentor, rules)
+        config = Rails.configuration
+        if config.cache_classes
+          instrumentor.instrument!(rules, self)
+        else
+          # FIXME: What needs to be done if no active_record?
+          # (probably related to SQREEN-219)
+          frm = self
+          ActiveSupport.on_load(:active_record) do
+            instrumentor.instrument!(rules, frm)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/frameworks/request_recorder.rb

@@ -0,0 +1,69 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+require 'set'
+require 'sqreen/shared_storage'
+require 'sqreen/events/request_record'
+
+module Sqreen
+  # Store event/observations that happened in this request
+  module RequestRecorder
+    def observed_items
+      SharedStorage.get(:observed_items)
+    end
+
+    def observed_items=(value)
+      SharedStorage.set(:observed_items, value)
+    end
+
+    def payload_requests
+      SharedStorage.get(:payload_requests)
+    end
+
+    def payload_requests=(value)
+      SharedStorage.set(:payload_requests, value)
+    end
+
+    def only_metric_observation
+      SharedStorage.get(:only_metric_observation)
+    end
+
+    def only_metric_observation=(value)
+      SharedStorage.set(:only_metric_observation, value)
+    end
+
+    def clean_request_record
+      self.only_metric_observation = true
+      self.payload_requests = Set.new
+      self.observed_items = Hash.new { |hash, key| hash[key] = [] }
+    end
+
+    def observe(what, data, accessors = [], report = true)
+      clean_request_record if observed_items.nil?
+      self.only_metric_observation = false if report
+      observed_items[what] << data
+      payload_requests.merge(accessors)
+    end
+
+    def close_request_record(queue, observations_queue, payload_creator)
+      clean_request_record if observed_items.nil?
+      if only_metric_observation
+        push_metrics(observations_queue, queue)
+        return clean_request_record
+      end
+      payload = payload_creator.payload(payload_requests)
+      payload[:observed] = observed_items
+      queue.push RequestRecord.new(payload)
+      clean_request_record
+    end
+
+    protected
+
+    def push_metrics(observations_queue, event_queue)
+      observed_items[:observations].each do |obs|
+        observations_queue.push obs
+      end
+      return unless observations_queue.size > MAX_OBS_QUEUE_LENGTH / 2
+      event_queue.push Sqreen::METRICS_EVENT
+    end
+  end
+end

data/lib/sqreen/frameworks/sinatra.rb

@@ -0,0 +1,57 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/frameworks/generic'
+require 'sqreen/middleware'
+
+module Sqreen
+  module Frameworks
+    # Handle Sinatra specific functions
+    class SinatraFramework < GenericFramework
+      def framework_infos
+        h = super
+        h[:framework_type] = 'Sinatra'
+        h[:framework_version] = Sinatra::VERSION
+        h
+      end
+
+      def on_start(&block)
+        hook_app_build(Sinatra::Base)
+        hook_rack_request(Sinatra::Application, &block)
+        yield self
+      end
+
+      def db_settings(options = {})
+        adapter = options[:connection_adapter]
+        return nil unless adapter
+
+        begin
+          adapter_name = adapter.class.const_get 'ADAPTER_NAME'
+        rescue
+          # FIXME: we may want to log that
+          Sqreen.log.warn 'cannot find ADAPTER_NAME'
+          return nil
+        end
+        db_type = DB_MAPPING[adapter_name]
+        db_infos = { :name => adapter_name }
+        [db_type, db_infos]
+      end
+
+      def hook_app_build(klass)
+        klass.singleton_class.class_eval do
+          define_method(:setup_default_middleware_with_sqreen) do |builder|
+            ret = setup_default_middleware_without_sqreen(builder)
+            builder.instance_variable_get('@use').insert(2, proc do |app|
+              # Inject error middle just before sinatra one
+              Sqreen::ErrorHandlingMiddleware.new(app)
+            end)
+            ret
+          end
+
+          alias_method :setup_default_middleware_without_sqreen, :setup_default_middleware
+          alias_method :setup_default_middleware, :setup_default_middleware_with_sqreen
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/frameworks/sqreen_test.rb

@@ -0,0 +1,26 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/frameworks/generic'
+
+module Sqreen
+  module Frameworks
+    # Rails related framework code
+    class SqreenTestFramework < GenericFramework
+      def framework_infos
+        {
+          :framework_type => 'SqreenTest',
+          :framework_version => '0.1',
+        }
+      end
+
+      def client_ip
+        '127.0.0.1'
+      end
+
+      def request_infos
+        {}
+      end
+    end
+  end
+end

data/lib/sqreen/instrumentation.rb

@@ -0,0 +1,542 @@
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.io/terms.html
+
+require 'sqreen/callback_tree'
+require 'sqreen/log'
+require 'sqreen/stats'
+require 'sqreen/exception'
+require 'sqreen/performance_notifications'
+require 'sqreen/call_countable'
+require 'sqreen/events/remote_exception'
+require 'sqreen/rules_signature'
+require 'set'
+
+# How to override a class method:
+#
+# class Cache
+#
+#     def self.get3
+#         puts "GET3"
+#     end
+#     def self.get
+#         puts "GET"
+#     end
+# end
+#
+# class << Cache  # Change context to metaclass of Cache
+#     def get_modified
+#         puts "GET MODIFI"
+#     end
+#     alias_method :get_not_modified, :get
+#     alias_method :get, :get_modified
+# end
+
+module Sqreen
+  class Instrumentation
+    WHITELISTED_METRIC='whitelisted'.freeze
+    @@override_semaphore = Mutex.new
+
+    ## Overriden methods and callbacks globals
+    @@overriden_methods = []
+    @@registered_callbacks = CBTree.new
+    @@instrumented_pid = nil
+
+    def self.semaphore
+      @@override_semaphore
+    end
+
+    def self.instrumented_pid
+      @@instrumented_pid
+    end
+
+    def self.callbacks
+      @@registered_callbacks
+    end
+
+    def self.overriden
+      @@overriden_methods
+    end
+
+    def self.callback_wrapper_pre(klass, method, instance, *args, &block)
+      Instrumentation.guard_call(method, []) do
+        callbacks = @@registered_callbacks.get(klass, method, :pre)
+        if callbacks.any?(&:whitelisted?)
+          callbacks = callbacks.reject(&:whitelisted?)
+        end
+
+        returns = []
+        callbacks.each do |cb|
+          # If record_request is part of callbacks we should filter after it ran
+          next if cb.whitelisted?
+          rule = cb.rule_name if cb.respond_to?(:rule_name)
+          Sqreen.log.debug { "running pre cb #{cb}" }
+          Sqreen::PerformanceNotifications.instrument("Callbacks/#{rule || cb.class.name}/pre") do
+            begin
+              res = cb.send(:pre, instance, *args, &block)
+              if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
+                Sqreen.log.debug do
+                  "#{cb} cannot block, overriding return value"
+                end
+                res = nil
+              elsif res.is_a?(Hash)
+                res[:rule_name] = rule
+              end
+              returns << res
+            rescue => e
+              Sqreen.log.warn "we catch an exception: #{e.inspect}"
+              Sqreen.log.debug e.backtrace
+              if cb.respond_to?(:record_exception)
+                cb.record_exception(e)
+              else
+                Sqreen::RemoteException.record(e)
+              end
+              next
+            end
+          end
+        end
+        returns
+      end
+    end
+
+    def self.callback_wrapper_post(klass, method, return_val, instance, *args, &block)
+      Instrumentation.guard_call(method, []) do
+        callbacks = @@registered_callbacks.get(klass, method, :post)
+        if callbacks.any?(&:whitelisted?)
+          callbacks = callbacks.reject(&:whitelisted?)
+        end
+
+        returns = []
+        callbacks.reverse_each do |cb|
+          rule = cb.rule_name if cb.respond_to?(:rule_name)
+          Sqreen.log.debug { "running post cb #{cb}" }
+          Sqreen::PerformanceNotifications.instrument("Callbacks/#{rule || cb.class.name}/post") do
+            begin
+              res = cb.send(:post, return_val, instance, *args, &block)
+              if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
+                Sqreen.log.debug do
+                  "#{cb} cannot block, overriding return value"
+                end
+                res = nil
+              elsif res.is_a?(Hash)
+                res[:rule_name] = rule
+              end
+              returns << res
+            rescue => e
+              Sqreen.log.warn "we catch an exception: #{e.inspect}"
+              Sqreen.log.debug e.backtrace
+              if cb.respond_to?(:record_exception)
+                cb.record_exception(e)
+              else
+                Sqreen::RemoteException.record(e)
+              end
+              next
+            end
+          end
+        end
+        returns
+      end
+    end
+
+    def self.callback_wrapper_failing(exception, klass, method, instance, *args, &block)
+      Instrumentation.guard_call(method, []) do
+        callbacks = @@registered_callbacks.get(klass, method, :failing)
+        if callbacks.any?(&:whitelisted?)
+          callbacks = callbacks.reject(&:whitelisted?)
+        end
+
+        returns = []
+        callbacks.each do |cb|
+          rule = cb.rule_name if cb.respond_to?(:rule_name)
+          Sqreen.log.debug { "running failing cb #{cb}" }
+          Sqreen::PerformanceNotifications.instrument("Callbacks/#{rule || cb.class.name}/failing") do
+            begin
+              res = cb.send(:failing, exception, instance, *args, &block)
+              if !res.nil? && cb.respond_to?(:block) && (!cb.block && !Sqreen.config_get(:block_all_rules))
+                Sqreen.log.debug do
+                  "#{cb} cannot block, overriding return value"
+                end
+                res = nil
+              elsif res.is_a?(Hash)
+                res[:rule_name] = rule
+              end
+              returns << res
+            rescue => e
+              Sqreen.log.warn "we catch an exception: #{e.inspect}"
+              Sqreen.log.debug e.backtrace
+              if cb.respond_to?(:record_exception)
+                cb.record_exception(e)
+              else
+                Sqreen::RemoteException.record(e)
+              end
+              next
+            end
+          end
+        end
+        returns
+      end
+    end
+
+    def self.guard_call(method, retval)
+      @sqreen_in_instr ||= nil
+      return retval if @sqreen_in_instr && @sqreen_in_instr.member?(method)
+      @sqreen_in_instr ||= Set.new
+      @sqreen_in_instr.add(method)
+      r = yield
+      @sqreen_in_instr.delete(method)
+      return r
+    rescue Exception => e
+      @sqreen_in_instr.delete(method)
+      raise e
+    end
+
+    def self.define_callback_method(meth, original_meth, klass_name)
+      proc do |*args, &block|
+        if Process.pid != Instrumentation.instrumented_pid
+          Sqreen.log.debug do
+            "Instrumented #{Instrumentation.instrumented_pid} != PID #{Process.pid}"
+          end
+          return send(original_meth, *args, &block)
+        end
+        Sqreen.stats.callbacks_calls += 1
+
+        skip = false
+        result = nil
+
+        # pre callback
+        returns = Instrumentation.callback_wrapper_pre(klass_name,
+                                                       meth,
+                                                       self,
+                                                       *args,
+                                                       &block)
+        returns.each do |ret|
+          next unless ret.is_a? Hash
+          case ret[:status]
+          when :skip, 'skip'
+            skip = true
+            result = ret[:new_return_value] if ret.key? :new_return_value
+            next
+          when :modify_args, 'modify_args'
+            args = ret[:args]
+          when :raise, 'raise'
+            fail Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
+          end
+        end
+
+        return result if skip
+        begin
+          result = send(original_meth, *args, &block)
+        rescue => e
+          returns = Instrumentation.callback_wrapper_failing(e, klass_name,
+                                                             meth,
+                                                             self,
+                                                             *args,
+                                                             &block)
+          will_retry = false
+          will_raise = returns.empty?
+          returns.each do |ret|
+            will_raise = true if ret.nil?
+            next unless ret.is_a? Hash
+            case ret[:status]
+            when :override, 'override'
+              result = ret[:new_return_value] if ret.key? :new_return_value
+            when :retry, 'retry'
+              will_retry = true
+            else # :reraise, 'reraise'
+              will_raise = true
+            end
+          end
+          raise e if will_raise
+          retry if will_retry
+          result
+        else
+
+          # post callback
+          returns = Instrumentation.callback_wrapper_post(klass_name,
+                                                          meth,
+                                                          result,
+                                                          self,
+                                                          *args,
+                                                          &block)
+          returns.each do |ret|
+            next unless ret.is_a? Hash
+            case ret[:status]
+            when :raise, 'raise'
+              fail Sqreen::AttackBlocked, "Sqreen blocked a security threat (type: #{ret[:rule_name]}). No action is required."
+            when :override, 'override'
+              result = ret[:new_return_value]
+            else
+              next
+            end
+          end
+          result
+        end
+      end
+    end
+
+    def override_class_method(klass, meth)
+      # FIXME: This is somehow ugly. We should reduce the amount of
+      # `evaled` code.
+      str = " class << #{klass}
+
+      original = '#{meth}'.to_sym
+      saved_meth_name = '#{get_saved_method_name(meth)}'.to_sym
+      new_method      = '#{meth}_modified'.to_sym
+
+      alias_method saved_meth_name, original
+
+      p = Instrumentation.define_callback_method(original, saved_meth_name,
+                                                 #{klass})
+      define_method(new_method, p)
+
+      private new_method
+
+      method_kind = nil
+      case
+      when public_method_defined?(original)
+        method_kind = :public
+      when protected_method_defined?(original)
+        method_kind = :protected
+      when private_method_defined?(original)
+        method_kind = :private
+      end
+      alias_method original, new_method
+      send(method_kind, original)
+      private saved_meth_name
+      end "
+      eval str
+    end
+
+    def unoverride_instance_method(obj, meth)
+      saved_meth_name = get_saved_method_name(meth)
+
+      method_kind = nil
+      obj.class_eval do
+        # Note: As a lambda the following will crash ruby 2.2.3p173
+        case
+        when public_method_defined?(meth)
+          method_kind = :public
+        when protected_method_defined?(meth)
+          method_kind = :protected
+        when private_method_defined?(meth)
+          method_kind = :private
+        end
+        alias_method meth, saved_meth_name
+        send(method_kind, meth)
+      end
+    end
+
+    def get_saved_method_name(meth)
+      "#{meth}_not_modified".to_sym
+    end
+
+    def override_instance_method(klass_name, meth)
+      saved_meth_name = get_saved_method_name(meth)
+      new_method      = "#{meth}_modified".to_sym
+
+      p = Instrumentation.define_callback_method(meth, saved_meth_name,
+                                                 klass_name)
+      method_kind = nil
+      klass_name.class_eval do
+        alias_method saved_meth_name, meth
+
+        define_method(new_method, p)
+
+        case
+        when public_method_defined?(meth)
+          method_kind = :public
+        when protected_method_defined?(meth)
+          method_kind = :protected
+        when private_method_defined?(meth)
+          method_kind = :private
+        end
+        alias_method meth, new_method
+        private saved_meth_name
+        private new_method
+        send(method_kind, meth)
+      end
+      saved_meth_name
+    end
+
+    # WARNING We do not actually remove `meth`
+    def unoverride_class_method(klass, meth)
+      saved_meth_name = get_saved_method_name(meth)
+
+      eval "method_kind = nil; class << #{klass}
+          case
+          when public_method_defined?(#{meth.to_sym.inspect})
+            method_kind = :public
+          when protected_method_defined?(original)
+            method_kind = :protected
+          when private_method_defined?(#{meth.to_sym.inspect})
+            method_kind = :private
+          end
+          alias_method #{meth.to_sym.inspect}, #{saved_meth_name.to_sym.inspect}
+          send(method_kind, #{meth.to_sym.inspect})
+      end "
+    end
+
+    if RUBY_VERSION < '1.9'
+      def adjust_method_name(method)
+        method.to_s
+      end
+    else
+      def adjust_method_name(method)
+        method
+      end
+    end
+
+    def is_instance_method?(klass, method)
+      method = adjust_method_name(method)
+      klass.instance_methods.include?(method) ||
+        klass.private_instance_methods.include?(method)
+    end
+
+    def is_class_method?(klass, method)
+      method = adjust_method_name(method)
+      klass.singleton_methods.include? method
+    end
+
+    # Does this object or an instance of it respond_to method?
+    def valid_method?(obj, method)
+      return true if is_class_method?(obj, method)
+      return false unless obj.respond_to?(:instance_methods)
+      is_instance_method?(obj, method)
+    end
+
+    def add_callback(cb)
+      @@override_semaphore.synchronize do
+        klass = cb.klass
+        method = cb.method
+        key = [klass, method]
+
+        already_overriden = @@overriden_methods.include? key
+
+        if !already_overriden
+          if is_class_method?(klass, method)
+            Sqreen.log.debug "overriding class method for #{cb}"
+            success = override_class_method(klass, method)
+          elsif is_instance_method?(klass, method)
+            Sqreen.log.debug "overriding instance method for #{cb}"
+            success = override_instance_method(klass, method)
+          else
+            # FIXME: Override define_method and other dynamic ways to
+            # The following should be monitored to make sure we
+            # don't forget dynamically added methods:
+            #  - define_method
+            #  - method_added
+            #  - method_missing
+            #  ...
+            #
+            msg = "#{cb} is neither singleton or instance"
+            raise Sqreen::NotImplementedYet, msg
+          end
+
+          @@overriden_methods += [key] if success
+        else
+          Sqreen.log.debug "#{key} was already overriden"
+        end
+
+        @@registered_callbacks.add(cb)
+        @@instrumented_pid = Process.pid
+      end
+    end
+
+    def remove_callback(cb)
+      @@override_semaphore.synchronize do
+        remove_callback_no_lock(cb)
+      end
+    end
+
+    def remove_callback_no_lock(cb)
+      klass = cb.klass
+      method = cb.method
+
+      key = [klass, method]
+
+      already_overriden = @@overriden_methods.include? key
+      unless already_overriden
+        Sqreen.log.debug "#{key} not overriden, returning"
+        return
+      end
+
+      defined_cbs = @@registered_callbacks.get(klass, method)
+
+      nb_removed = 0
+      defined_cbs.each do |found_cb|
+        if found_cb == cb
+          Sqreen.log.debug "Removing callback #{found_cb}"
+          @@registered_callbacks.remove(found_cb)
+          nb_removed += 1
+        else
+          Sqreen.log.debug "Not removing callback #{found_cb} (remains #{defined_cbs.size} cbs)"
+        end
+      end
+
+      return unless nb_removed == defined_cbs.size
+
+      Sqreen.log.debug "Removing overriden method #{key}"
+      @@overriden_methods.delete(key)
+
+      if is_class_method?(klass, method)
+        unoverride_class_method(klass, method)
+      elsif is_instance_method?(klass, method)
+        unoverride_instance_method(klass, method)
+      else
+        # FIXME: Override define_method and other dynamic ways to
+        # The following should be monitored to make sure we
+        # don't forget dynamically added methods:
+        #  - define_method
+        #  - method_added
+        #  - method_missing
+        #  ...
+        #
+        msg = "#{cb} is neither singleton or instance"
+        raise Sqreen::NotImplementedYet, msg
+      end
+    end
+
+    def remove_all_callbacks
+      @@override_semaphore.synchronize do
+        @@registered_callbacks.entries.each do |cb|
+          remove_callback_no_lock(cb)
+        end
+        Sqreen.instrumentation_ready = false
+      end
+    end
+
+    attr_accessor :metrics_engine
+
+    # Instrument the application code using the rules
+    # @param rules [Array<Hash>] Rules to instrument
+    # @param metrics_engine [MetricsStore] Metric storage facility
+    def instrument!(rules, framework)
+      verifier = nil
+      if Sqreen.features['rules_signature']         &&
+         Sqreen.config_get(:rules_verify_signature) == true &&
+         !defined?(::JRUBY_VERSION)
+        verifier = Sqreen::SqreenSignedVerifier.new
+      else
+        Sqreen.log.debug('Rules signature is not enabled')
+      end
+      remove_all_callbacks # Force cb tree to be empty before instrumenting
+      rules.each do |rule|
+        rcb = Sqreen::Rules.cb_from_rule(rule, self, metrics_engine, verifier)
+        next unless rcb
+        rcb.framework = framework
+        add_callback(rcb)
+      end
+      Sqreen.instrumentation_ready = true
+    end
+
+    def initialize(metrics_engine = nil)
+      self.metrics_engine = metrics_engine
+      return if metrics_engine.nil?
+      metrics_engine.create_metric('name' => CallCountable::COUNT_CALLS,
+                                   'period' => 60,
+                                   'kind' => 'Sum')
+      metrics_engine.create_metric('name' => WHITELISTED_METRIC,
+                                   'period' => 60,
+                                   'kind' => 'Sum')
+    end
+  end
+end