sqreen 1.18.6 → 1.19.0.beta1

data/lib/sqreen/rules/update_request_context.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/rules/url_matches_cb.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/rules/user_agent_matches_cb.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/rules/waf_cb.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/rules/xss_cb.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/run_when_called_cb.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/runner.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
@@ -18,8 +20,9 @@ require 'sqreen/deliveries/simple'
 require 'sqreen/deliveries/batch'
 require 'sqreen/performance_notifications/metrics'
 require 'sqreen/performance_notifications/binned_metrics'
-require 'sqreen/instrumentation'
+require 'sqreen/legacy/instrumentation'
 require 'sqreen/call_countable'
+require 'sqreen/weave/legacy/instrumentation'
 
 module Sqreen
   @features = {}
@@ -117,7 +120,12 @@ module Sqreen
       register_exit_cb if set_at_exit
 
       self.metrics_engine = MetricsStore.new
-      @instrumenter = Instrumentation.new(metrics_engine)
+
+      if @configuration.get(:weave)
+        @instrumenter = Sqreen::Weave::Legacy::Instrumentation.new(metrics_engine)
+      else
+        @instrumenter = Sqreen::Legacy::Instrumentation.new(metrics_engine)
+      end
 
       Sqreen.log.debug "Using token #{@token}"
       response = create_session(session_class)
@@ -235,7 +243,7 @@ module Sqreen
     def remove_instrumentation(_context_infos = {})
       Sqreen.log.debug 'Removing instrumentation'
       instrumenter.remove_all_callbacks
-      Sqreen::Actions::Repository.instance.clear
+      Sqreen::Actions::Repository.clear
       Sqreen.log.debug 'Instrumentation removed'
       true
     end
@@ -244,7 +252,6 @@ module Sqreen
       Sqreen.log.debug 'Reloading rules'
       rulespack_id, rules = load_rules
       instrumenter.remove_all_callbacks
-      Sqreen::Actions::Repository.instance.clear
 
       @framework.instrument_when_ready!(instrumenter, rules)
       Sqreen.log.debug 'Rules reloaded'
@@ -304,12 +311,18 @@ module Sqreen
       Sqreen.update_features(features)
       session.request_compression = features['request_compression'] if session
       self.performance_metrics_period = features['performance_metrics_period']
+
+      unless @configuration.get(:weave)
+
       config_binned_metrics(features['perf_level'] || DEFAULT_PERF_LEVEL,
                             features['perf_base'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_BASE,
                             features['perf_unit'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_UNIT,
                             features['perf_pct_base'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_PCT_BASE,
                             features['perf_pct_unit'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_PCT_UNIT,
                            )
+
+      end
+
       self.call_counts_metrics_period = features['call_counts_metrics_period']
       hd = features['heartbeat_delay'].to_i
       self.heartbeat_delay = hd if hd > 0
@@ -456,13 +469,12 @@ module Sqreen
     def load_actions(hashes)
       unsupported = Set.new
 
-      repos = Sqreen::Actions::Repository.instance
-      repos.clear
+      new_repos = Sqreen::Actions::Repository.new
 
       actions = hashes.map do |h|
         begin
           act = Sqreen::Actions.deserialize_action(h)
-          repos.add h['parameters'], act
+          new_repos.add h['parameters'], act
           act
         rescue Sqreen::Actions::UnknownActionType => e
           Sqreen.log.warn("Unsupported action type: #{e.action_type}")
@@ -476,6 +488,8 @@ module Sqreen
       actions = actions.reject(&:nil?)
       Sqreen.log.debug("Added #{actions.size} valid actions")
 
+      Sqreen::Actions::Repository.current = new_repos
+
       unsupported
     end
   end

data/lib/sqreen/runtime_infos.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/safe_json.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/sdk.rb

@@ -1,6 +1,10 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
+require 'sqreen/frameworks'
+
 # Sqreen Namespace
 module Sqreen
 

data/lib/sqreen/sensitive_data_redactor.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/serializer.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/session.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/shared_storage.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/shared_storage23.rb

@@ -1,3 +1,5 @@
+# typed: ignore
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/shrink_wrap.rb

@@ -0,0 +1,16 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+module Sqreen
+  class ShrinkWrap
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @app.call(env)
+    end
+  end
+end

data/lib/sqreen/signature_verifier.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/sinatra_middleware.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/sqreen_signed_verifier.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/token_invalid_exception.rb

@@ -1,3 +1,5 @@
+# typed: strong
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/token_not_found_exception.rb

@@ -1,3 +1,5 @@
+# typed: strong
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/trie.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/unauthorized.rb

@@ -1,3 +1,5 @@
+# typed: strong
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/util.rb

@@ -1,2 +1,7 @@
+# typed: strong
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
 module Sqreen; end
 module Sqreen::Util; end

data/lib/sqreen/util/capped_array.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/util/capped_hash.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/util/capped_string.rb

@@ -1,3 +1,5 @@
+# typed: false
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/util/capper.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/version.rb

@@ -1,6 +1,8 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 module Sqreen
-  VERSION = '1.18.6'.freeze
+  VERSION = '1.19.0.beta1'.freeze
 end

data/lib/sqreen/waf_error.rb

@@ -1,3 +1,5 @@
+# typed: true
+
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 

data/lib/sqreen/weave.rb

@@ -0,0 +1,12 @@
+# typed: strong
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/log/loggable'
+
+module Sqreen
+  module Weave
+    include Sqreen::Log::Loggable
+  end
+end

data/lib/sqreen/weave/hardcoded.rb

@@ -0,0 +1,19 @@
+# typed: strong
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/weave'
+
+class Sqreen::Weave::Hardcoded
+  # [
+  #   ### callback for performing sec responses based on ip
+  #   ### init redefined to implement smartass way to hook it upon the
+  #   ### framework's middleware #call
+  #   Sqreen::Rules::RunReqStartActions.new(framework),
+  #   ### callback for performing sec responses based on user
+  #   Sqreen::Rules::RunUserActions.new(Sqreen, :identify, 0),
+  #   ### callback for performing sec responses based on user
+  #   Sqreen::Rules::RunUserActions.new(Sqreen, :auth_track, 1),
+  # ]
+end

data/lib/sqreen/weave/instrumentor.rb

@@ -0,0 +1,48 @@
+# typed: true
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/weave'
+
+# rule loader: decouple from runner
+# remote rules from back
+# local rules from local files
+# => rule list (what is a rule?)
+# => to callback (what is a callback?)
+# => to instrumentation (== attach callbacks to their targets using graft)
+
+# make shit like instrument framework independent (block passing?)
+# => too much things assume only one framework
+# possible to do run req actions without hardcoded cbs?
+# (data comes from actions command, native cb merely binds to middleware)
+# can cb be a form of abstraction?
+
+# rule sig: decouple/split
+# - data signer/checker
+# apply this to rule data
+
+# whitelist is mixed in
+
+# metrics
+# three dedicated metrics: abstract and isolate
+
+class Sqreen::Weave::Instrumentor
+  def initialize(metrics_engine)
+    ### bail out if no metric engine
+    ### init metric to count calls to sqreen
+    ### init metric to count request whitelist matches (ip or path whitelist)
+    ### init metric to count over budget hits
+  end
+
+  def instrument!(rules, framework)
+    ### set up rule signature verifier
+    ### force clean instrumentation callback list
+    ### for each rule description, transform into format for adding callback
+    ###   attach framework to callback
+    ###   install callback, observing priority
+    ### for each hardcoded callback
+    ###   install hardcoded callbacks, observing priority
+    ### globally declare instrumentation ready
+  end
+end

data/lib/sqreen/weave/legacy.rb

@@ -0,0 +1,12 @@
+# typed: strong
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/weave'
+
+module Sqreen
+  module Weave
+    module Legacy; end
+  end
+end

data/lib/sqreen/weave/legacy/instrumentation.rb

@@ -0,0 +1,398 @@
+# typed: false
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/weave/legacy'
+require 'sqreen/graft/hook_point'
+require 'sqreen/call_countable'
+require 'sqreen/rules'
+require 'sqreen/rules/record_request_context'
+
+class Sqreen::Weave::Legacy::Instrumentation
+  attr_accessor :metrics_engine
+
+  def initialize(metrics_engine, opts = {})
+    Sqreen::Weave.logger.debug { "#{self.class.name}#initialize #{metrics_engine}" }
+    @hooks = []
+
+    self.metrics_engine = metrics_engine
+
+    ### bail out if no metric engine
+    return if metrics_engine.nil?
+
+    ### init metric to count calls to sqreen
+    metrics_engine.create_metric(
+      'name' => 'sqreen_call_counts',
+      'period' => 60,
+      'kind' => 'Sum',
+    )
+    ### init metric to count request whitelist matches (ip or path whitelist)
+    metrics_engine.create_metric(
+      'name' => 'whitelisted',
+      'period' => 60,
+      'kind' => 'Sum',
+    )
+    ### init metric to count over budget hits
+    metrics_engine.create_metric(
+      'name' => 'request_overtime',
+      'period' => 60,
+      'kind' => 'Sum',
+    )
+
+    # PerformanceNotifications::Binning
+    metrics_engine.create_metric(
+      'name' => 'req',
+      'period' => opts[:period] || 60,
+      'kind' => 'Binning',
+      'options' => opts[:perf_metric] || { 'base' => 2.0, 'factor' => 0.1 },
+    )
+    metrics_engine.create_metric(
+      'name' => 'sq',
+      'period' => opts[:period] || 60,
+      'kind' => 'Binning',
+      'options' => opts[:perf_metric] || { 'base' => 2.0, 'factor' => 0.1 },
+    )
+    metrics_engine.create_metric(
+      'name' => 'pct',
+      'period' => opts[:period] || 60,
+      'kind' => 'Binning',
+      'options' => opts[:perf_metric_percent] || { 'base' => 1.3, 'factor' => 1.0 },
+    )
+
+    Sqreen.thread_cpu_time? && metrics_engine.create_metric(
+      'name' => 'sq_thread_cpu_pct',
+      'period' => opts[:period] || 60,
+      'kind' => 'Binning',
+      'options' => opts[:perf_metric_percent] || { 'base' => 1.3, 'factor' => 1.0 },
+    )
+  end
+
+  # needed by Sqreen::Runner#initialize
+  def instrument!(rules, framework)
+    Sqreen::Weave.logger.debug { "#{rules.count} rules, #{framework}" }
+
+    strategy = Sqreen.config_get(:weave_strategy)
+    if strategy == :prepend && !Module.respond_to?(:prepend)
+      Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable, falling back to :chain" }
+      strategy = :chain
+    end
+    Sqreen::Weave.logger.debug { "strategy: #{strategy.inspect}" }
+
+    ### set up rule signature verifier
+    verifier = nil
+    ### force clean instrumentation callback list
+    @hooks = []
+    ### for each rule description
+    rules.each do |rule|
+      Sqreen::Weave.logger.debug { "Processing rule: #{rule['name']}" }
+      ### transform into format for adding callback
+      rule_callback = Sqreen::Rules.cb_from_rule(rule, self, metrics_engine, verifier)
+      next unless rule_callback
+      ### attach framework to callback
+      rule_callback.framework = framework
+      ### install callback, observing priority
+      Sqreen::Weave.logger.debug { "Adding rule callback: #{rule_callback}" }
+      @hooks << add_callback("weave,rule=#{rule['name']}", rule_callback, strategy)
+    end
+
+    ### for each hardcoded callback
+    hardcoded_callbacks(framework).each do |hard_callback|
+      Sqreen::Weave.logger.debug { "Adding hardcoded callback: #{hard_callback}" }
+      ###   install hardcoded callbacks, observing priority
+      @hooks << add_callback('weave,hardcoded', hard_callback, strategy)
+    end
+
+    metrics_engine = self.metrics_engine
+    request_hook = Sqreen::Graft::Hook['Sqreen::ShrinkWrap#call', strategy]
+    @hooks << request_hook
+    request_hook.add do
+      before('wave,meta,request', rank: -100000, mandatory: true) do |_call|
+        uuid = SecureRandom.uuid
+        now = Sqreen::Graft::Timer.read
+        Thread.current[:sqreen_http_request] = {
+          uuid: uuid,
+          start_time: now,
+          time_budget: Sqreen.performance_budget,
+          time_budget_expended: false,
+          timer: Sqreen::Graft::Timer.new("request_#{uuid}"),
+          timed_callbacks: [],
+          timed_hooks: [],
+          timed_hooks_before: [],
+          timed_hooks_after: [],
+          timed_hooks_raised: [],
+          timed_hooks_ensured: [],
+          skipped_callbacks: [],
+        }
+
+        Sqreen::Weave.logger.debug { "request.uuid: #{uuid}" }
+      end
+
+      ensured('weave,meta,request', rank: 100000, mandatory: true) do |_call|
+        request = Thread.current[:sqreen_http_request]
+        Thread.current[:sqreen_http_request] = nil
+        now = Sqreen::Graft::Timer.read
+        utc_now = Time.now.utc
+
+        request[:timed_callbacks].each do |timer|
+          duration = timer.duration
+          # stop = now
+          # start = now - duration
+          timer.tag =~ /weave,rule=(.*)$/ && rule = $1
+          timer.tag =~ /@before/ && whence = 'pre'
+          timer.tag =~ /@after/  && whence = 'post'
+          timer.tag =~ /@raised/ && whence = 'failing'
+
+          next unless rule && whence
+
+          # Sqreen::PerformanceNotifications.notify(rule, whence, start, stop)
+          # => BinnedMetrics
+          metric_name = "sq.#{rule}.#{whence}"
+          unless metrics_engine.metric?(metric_name)
+            metrics_engine.create_metric(
+              'name' => metric_name,
+              'period' => 60,
+              'kind' => 'Binning',
+              'options' => { 'base' => 2.0, 'factor' => 0.1 },
+            )
+          end
+          metrics_engine.update(metric_name, now, nil, duration * 1000)
+        end
+
+        metric_name = 'sq.hooks_pre.pre'
+        duration = request[:timed_hooks_before].sum(&:duration)
+        unless metrics_engine.metric?(metric_name)
+          metrics_engine.create_metric(
+            'name' => metric_name,
+            'period' => 60,
+            'kind' => 'Binning',
+            'options' => { 'base' => 2.0, 'factor' => 0.1 },
+          )
+        end
+        metrics_engine.update(metric_name, now, nil, duration * 1000)
+
+        metric_name = 'sq.hooks_post.post'
+        duration = request[:timed_hooks_after].sum(&:duration)
+        unless metrics_engine.metric?(metric_name)
+          metrics_engine.create_metric(
+            'name' => metric_name,
+            'period' => 60,
+            'kind' => 'Binning',
+            'options' => { 'base' => 2.0, 'factor' => 0.1 },
+          )
+        end
+        metrics_engine.update(metric_name, now, nil, duration * 1000)
+
+        metric_name = 'sq.hooks_failing.failing'
+        duration = request[:timed_hooks_raised].sum(&:duration)
+        unless metrics_engine.metric?(metric_name)
+          metrics_engine.create_metric(
+            'name' => metric_name,
+            'period' => 60,
+            'kind' => 'Binning',
+            'options' => { 'base' => 2.0, 'factor' => 0.1 },
+          )
+        end
+        metrics_engine.update(metric_name, now, nil, duration * 1000)
+
+        skipped = request[:skipped_callbacks].map(&:name)
+        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.skipped.size: #{skipped.count} callback.skipped: [#{skipped.join(', ')}]" }
+        timer = request[:timer]
+        total = timer.duration
+        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} timer.total: #{'%.03fus' % (total * 1_000_000)} timer.size: #{timer.size}" }
+        timings = request[:timed_callbacks].map(&:to_s)
+        total = request[:timed_callbacks].sum(&:duration)
+        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.total: #{'%.03fus' % (total * 1_000_000)} callback.timings: [#{timings.join(', ')}]" }
+        timings = request[:timed_hooks].map(&:to_s)
+        total = request[:timed_hooks].sum(&:duration)
+        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} hook.total: #{'%.03fus' % (total * 1_000_000)} hook.timings: [#{timings.join(', ')}]" }
+
+        skipped = request[:skipped_callbacks].map(&:name)
+        skipped_rule_name = skipped.first && skipped.first =~ /weave,rule=(.*)$/ && $1
+        Sqreen.observations_queue.push(['request_overtime', skipped_rule_name, 1, utc_now]) if skipped_rule_name
+
+        sqreen_request_duration = total
+        Sqreen.observations_queue.push(['sq', nil, sqreen_request_duration * 1000, utc_now])
+
+        request_duration = now - request[:start_time]
+        Sqreen.observations_queue.push(['req', nil, request_duration * 1000, utc_now])
+
+        sqreen_request_ratio = (sqreen_request_duration * 100.0) / (request_duration - sqreen_request_duration)
+        Sqreen.observations_queue.push(['pct', nil, sqreen_request_ratio, utc_now])
+      end
+    end.install
+
+    ### globally declare instrumentation ready
+    Sqreen.instrumentation_ready = true
+  end
+
+  # needed by Sqreen::Runner
+  def remove_all_callbacks
+    Sqreen.instrumentation_ready = false
+
+    loop do
+      hook = @hooks.pop
+      break unless hook
+      Sqreen::Weave.logger.debug { "hook.deinstrument: #{hook}" }
+      hook.uninstall
+      hook.clear
+    end
+  end
+
+  # needed by #instrument!
+  def add_callback(rule, callback, strategy)
+    Sqreen::Weave.logger.debug { "Adding rule: #{rule} callback: #{callback}" }
+    klass = callback.klass
+    method = callback.method
+
+    if Sqreen::Graft::HookPoint.new("#{klass}.#{method}").exist?
+      hook_point = "#{klass}.#{method}"
+    elsif Sqreen::Graft::HookPoint.new("#{klass}##{method}").exist?
+      hook_point = "#{klass}##{method}"
+    end
+
+    return if hook_point.nil?
+
+    priority = callback.priority || 100
+    block = callback.respond_to?(:block) ? callback.block : true
+    ignore = -> { callback.whitelisted? } if callback.respond_to?(:whitelisted?)
+
+    hook = Sqreen::Graft::Hook[hook_point, strategy]
+    hook.add do
+      if callback.pre?
+        before(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
+          return unless Sqreen.instrumentation_ready
+
+          i = call.instance
+          a = call.args
+          r = call.remaining
+
+          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i}" }
+          begin
+            ret = callback.pre(i, a, r)
+          rescue StandardError => e
+            Sqreen::Weave.logger.warn { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i} => exception=#{e}" }
+            if callback.respond_to?(:record_exception)
+              callback.record_exception(e)
+            else
+              Sqreen::RemoteException.record(e)
+            end
+          end
+          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i} => return=#{ret.inspect}" }
+
+          case ret[:status]
+          when :skip, 'skip'
+            throw(b, b.return(ret[:new_return_value]).break!) if ret.key?(:new_return_value)
+          when :modify_args, 'modify_args'
+            throw(b, b.args(ret[:args]))
+          when :raise, 'raise'
+            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
+            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
+          end unless ret.nil?
+        end
+      end
+
+      if callback.post?
+        after(rule, rank: -priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
+          return unless Sqreen.instrumentation_ready
+
+          i = call.instance
+          v = call.returned
+          a = call.args
+          r = call.remaining
+
+          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i}" }
+          begin
+            ret = callback.post(v, i, a, r)
+          rescue StandardError => e
+            Sqreen::Weave.logger.warn { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i} => exception=#{e}" }
+            if callback.respond_to?(:record_exception)
+              callback.record_exception(e)
+            else
+              Sqreen::RemoteException.record(e)
+            end
+          end
+          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i} => return=#{ret.inspect}" }
+
+          case ret[:status]
+          when :override, 'override'
+            throw(b, b.return(ret[:new_return_value])) if ret.key?(:new_return_value)
+          when :raise, 'raise'
+            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
+            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
+          end unless ret.nil?
+        end
+      end
+
+      if callback.failing?
+        raised(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
+          return unless Sqreen.instrumentation_ready
+
+          i = call.instance
+          e = call.raised
+          a = call.args
+          r = call.remaining
+
+          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i}" }
+          begin
+            ret = callback.failing(e, i, a, r)
+          rescue StandardError => e
+            Sqreen::Weave.logger.warn { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i} => exception=#{e}" }
+            if callback.respond_to?(:record_exception)
+              callback.record_exception(e)
+            else
+              Sqreen::RemoteException.record(e)
+            end
+          end
+          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i} => return=#{ret.inspect}" }
+
+          raise e if ret.nil?
+
+          case ret[:status]
+          when :override, 'override'
+            throw(b, b.return(ret[:new_return_value])) if ret.key?(:new_return_value)
+          when :retry, 'retry'
+            throw(b, b.retry)
+          when :raise, 'raise'
+            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
+            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
+          when :reraise, 'reraise'
+            throw(b, b.raise(e))
+          else
+            throw(b, b.raise(e))
+          end unless ret.nil?
+        end
+      end
+    end.install
+
+    hook
+  end
+
+  # needed by Sqreen::Rules.cb_from_rule
+  def valid_method?(klass, method)
+    if Sqreen::Graft::HookPoint.new("#{klass}.#{method}").exist?
+      Sqreen::Weave.logger.debug { "HookPoint found: #{klass}.#{method}" }
+      true
+    elsif Sqreen::Graft::HookPoint.new("#{klass}##{method}").exist?
+      Sqreen::Weave.logger.debug { "HookPoint found: #{klass}##{method}" }
+      true
+    else
+      Sqreen::Weave.logger.debug { "HookPoint not found: #{klass} #{method}" }
+      false
+    end
+  end
+
+  # needed by #instrument!
+  def hardcoded_callbacks(framework)
+    [
+      ### callback for performing sec responses based on ip
+      ### init redefined to implement smartass way to hook it upon the
+      ### framework's middleware #call
+      Sqreen::Rules::RunReqStartActions.new(framework),
+      ### callback for performing sec responses based on user
+      Sqreen::Rules::RunUserActions.new(Sqreen, :identify, 0),
+      ### callback for performing sec responses based on user
+      Sqreen::Rules::RunUserActions.new(Sqreen, :auth_track, 1),
+    ]
+  end
+end