sqreen 1.19.1-java → 1.21.0.beta3-java

data/lib/sqreen/signals/http_trace_redaction.rb

@@ -0,0 +1,111 @@
+require 'json'
+require 'sqreen/kit/loggable'
+require 'sqreen/kit/signals/specialized/http_trace'
+
+module Sqreen
+  module Signals
+    module HttpTraceRedaction
+      class << self
+        include Sqreen::Kit::Loggable
+
+        # @param [Sqreen::Kit::Signals::Specialized::HttpTrace] trace
+        # @param [Sqreen::SensitiveDataRedactor] redactor
+        def redact_trace!(trace, redactor)
+          return unless redactor
+          # redact headers (keys unsafe)
+          # @type [Sqreen::Kit::Signals::Context::HttpContext]
+          http_context = trace.context
+
+          all_redacted = []
+
+          # Redact headers; save redacted values
+          # headers are encoded as [key, value], not a hash, so
+          # they require some transformation
+          orig_headers = http_context.headers
+          if orig_headers
+            headers = orig_headers.map { |(k, v)| { k => v } }
+            headers, redacted = redactor.redact(headers)
+            http_context.headers = headers.map(&:first)
+            all_redacted += redacted
+          end
+
+          # Redact params; save redacted values
+          Kit::Signals::Context::HttpContext::PARAMS_ATTRS.each do |attr|
+            value = http_context.public_send(attr)
+            next unless value
+            value, redacted = redactor.redact(value)
+            all_redacted += redacted
+            http_context.public_send(:"#{attr}=", value)
+          end
+
+          all_redacted = all_redacted.uniq.map(&:downcase)
+
+          # Redact attacks and exceptions
+          # XXX: no redaction for infos in attacks/exceptions except for WAF data
+          # Is this the correct behavior?
+          redact_attacks!(trace, redactor, all_redacted)
+          redact_exceptions!(trace, redactor, all_redacted)
+        end
+
+        private
+
+        # @param [Sqreen::Kit::Signals::Specialized::HttpTrace] trace
+        # @param [Sqreen::SensitiveDataRedactor] redactor
+        # Redacts WAF data according to specific rules therefor
+        # Redacts infos according to general rules
+        def redact_attacks!(trace, redactor, redacted_data)
+          trace.data.each do |signal|
+            next unless signal.is_a?(Kit::Signals::Specialized::Attack)
+            # @type [Sqreen::Kit::Signals::Specialized::Attack::Payload] payload
+            payload = signal.payload
+            next unless payload.infos
+
+            if payload.infos[:waf_data]
+              redact_waf_attack_data!(payload.infos, redacted_data)
+            end
+            payload.infos, = redactor.redact(payload.infos)
+          end
+        end
+
+        def redact_exceptions!(trace, redactor, redacted_data)
+          trace.data.each do |signal|
+            next unless signal.is_a?(Kit::Signals::Specialized::SqreenException)
+            infos = signal.infos
+            next unless infos
+
+            redact_waf_exception_data!(signal.infos, redacted_data) if signal.infos[:waf]
+            signal.infos, = redactor.redact(infos)
+          end
+        end
+
+        # @param [Hash] infos from WAF attack
+        def redact_waf_attack_data!(infos, redacted_data)
+          begin
+            parsed = JSON.parse(infos[:waf_data])
+          rescue JSON::JSONError => e
+            logger.warn("waf_data is not valid json: #{e.message}")
+            return
+          end
+          redacted = parsed.each do |w|
+            next unless (filters = w['filter'])
+
+            filters.each do |f|
+              next unless (v = f['resolved_value'])
+              next unless redacted_data.include?(v.downcase)
+
+              f['match_status'] = SensitiveDataRedactor::MASK
+              f['resolved_value'] = SensitiveDataRedactor::MASK
+            end
+          end
+          infos[:waf_data] = JSON.dump(redacted)
+        end
+
+        # see https://github.com/sqreen/TechDoc/blob/master/content/specs/spec000022-waf-data-sanitization.md#changes-to-the-agents
+        def redact_waf_exception_data!(infos, redacted_data)
+          return if redacted_data.empty?
+          infos[:waf].delete(:args)
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/signals/signals_submission_strategy.rb

@@ -0,0 +1,78 @@
+require 'sqreen/aggregated_metric'
+require 'sqreen/kit'
+require 'sqreen/kit/string_sanitizer'
+require 'sqreen/signals/conversions'
+require 'sqreen/log/loggable'
+
+module Sqreen
+  module Signals
+    # see also Sqreen::Legacy::OldEventSubmissionStrategy
+    # usage in Sqreen:Session
+    class SignalsSubmissionStrategy
+      include Sqreen::Log::Loggable
+
+      # @param [Array<Sqreen::AggregatedMetric>] metrics
+      def post_metrics(metrics)
+        return if metrics.nil? || metrics.empty?
+
+        guarded 'Failed to serialize or submit aggregated metrics' do
+          batch = metrics.map do |m|
+            Conversions.convert_metric_sample(m)
+          end
+          client.report_batch(batch)
+        end
+      end
+
+      # @param _attack [Sqreen::Attack]
+      # XXX: unused
+      def post_attack(_attack)
+        raise NotImplementedError
+      end
+
+      # @param request_record [Sqreen::RequestRecord]
+      def post_request_record(request_record)
+        guarded 'Failed to serialize or submit request record' do
+          trace = Conversions.convert_req_record(request_record)
+          append_sanitizing_filter(trace)
+          client.report_trace(trace)
+        end
+      end
+
+      # Post an exception to Sqreen for analysis
+      # @param exception [RemoteException] Exception and context to be sent over
+      def post_sqreen_exception(exception)
+        guarded 'Failed to serialize or submit exception', false do
+          data = Conversions.convert_exception(exception)
+          append_sanitizing_filter(data)
+          client.report_signal(data)
+        end
+      end
+
+      def post_batch(events)
+        guarded 'Failed to serialize or submit batch of events' do
+          batch = Conversions.convert_batch(events)
+          batch.each { |sig_or_trace| append_sanitizing_filter(sig_or_trace) }
+          client.report_batch(batch)
+        end
+      end
+
+      private
+
+      def append_sanitizing_filter(sig_or_trace)
+        sig_or_trace.append_to_h_filter Kit::StringSanitizer.method(:sanitize)
+      end
+
+      # we don't want exceptions to propagate and kill the worker thread
+      def guarded(msg, report = true)
+        yield
+      rescue StandardError => e
+        logger.warn "#{msg}: #{e.message}\n#{e.backtrace.map { |x| "  #{x}" }.join("\n")}"
+        post_sqreen_exception(RemoteException.new(e)) if report
+      end
+
+      def client
+        Sqreen::Kit.auth_signals_client
+      end
+    end
+  end
+end

data/lib/sqreen/version.rb

@@ -4,5 +4,5 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 module Sqreen
-  VERSION = '1.19.1'.freeze
+  VERSION = '1.21.0.beta3'.freeze
 end

data/lib/sqreen/weave/budget.rb

@@ -0,0 +1,35 @@
+# typed: false
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/log/loggable'
+require 'sqreen/weave'
+
+class Sqreen::Weave::Budget
+  include Sqreen::Log::Loggable
+
+  def initialize(threshold)
+    @threshold = threshold
+  end
+
+  attr_reader :threshold
+
+  def to_h
+    { threshold: threshold }
+  end
+
+  class << self
+    attr_reader :current
+
+    def update(opts = nil)
+      Sqreen::Weave.logger.info("budget update:#{opts.inspect}")
+
+      return @current = nil if opts.nil? || opts.empty?
+
+      threshold = opts[:threshold]
+
+      @current = threshold
+    end
+  end
+end

data/lib/sqreen/weave/legacy/instrumentation.rb

@@ -4,23 +4,41 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 require 'sqreen/weave/legacy'
+require 'sqreen/weave/budget'
+require 'sqreen/graft/hook'
 require 'sqreen/graft/hook_point'
 require 'sqreen/call_countable'
 require 'sqreen/rules'
 require 'sqreen/rules/record_request_context'
+require 'sqreen/sqreen_signed_verifier'
+require 'rack/request'
+begin
+  require 'sq_detailed_metrics'
+rescue LoadError => _e # rubocop:disable Lint/HandleExceptions
+end
 
 class Sqreen::Weave::Legacy::Instrumentation
   attr_accessor :metrics_engine
 
+  HAS_SQ_DETAILED_METRICS = defined?(::SqDetailedMetrics)
+  REQ_LVL_2_METRIC = 'request_level_perf'.freeze
+
   def initialize(metrics_engine, opts = {})
     Sqreen::Weave.logger.debug { "#{self.class.name}#initialize #{metrics_engine}" }
     @hooks = []
 
+    unless HAS_SQ_DETAILED_METRICS
+      Sqreen::Weave.logger.warn { "Detailed metrics are unavailable" }
+    end
+
     self.metrics_engine = metrics_engine
 
     ### bail out if no metric engine
     return if metrics_engine.nil?
 
+    # XXX: these metric definitions do not support change of opts
+    #      due to features updates!
+
     ### init metric to count calls to sqreen
     metrics_engine.create_metric(
       'name' => 'sqreen_call_counts',
@@ -60,12 +78,42 @@ class Sqreen::Weave::Legacy::Instrumentation
       'options' => opts[:perf_metric_percent] || { 'base' => 1.3, 'factor' => 1.0 },
     )
 
+    metrics_engine.create_metric(
+      'name' => 'req.sq.hook.overhead',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+
+    metrics_engine.create_metric(
+      'name' => 'sq.hook.overhead',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+
+    metrics_engine.create_metric(
+      'name' => 'sq.shrinkwrap',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+
     Sqreen.thread_cpu_time? && metrics_engine.create_metric(
       'name' => 'sq_thread_cpu_pct',
       'period' => opts[:period] || 60,
       'kind' => 'Binning',
       'options' => opts[:perf_metric_percent] || { 'base' => 1.3, 'factor' => 1.0 },
     )
+
+    if HAS_SQ_DETAILED_METRICS # rubocop:disable Style/GuardClause
+      @lvl_2_metric = metrics_engine.create_metric(
+        'name' => REQ_LVL_2_METRIC,
+        'period' => opts[:perf_req_metrics_period] || 60,
+        'kind' => 'ReqDetailed',
+      )
+      @lvl_2_max_reqs = opts[:perf_req_metrics_max_reqs] || 100
+    end
   end
 
   # needed by Sqreen::Runner#initialize
@@ -84,6 +132,15 @@ class Sqreen::Weave::Legacy::Instrumentation
 
     ### set up rule signature verifier
     verifier = nil
+    if Sqreen.features['rules_signature'] &&
+       Sqreen.config_get(:rules_verify_signature) == true &&
+       !defined?(::JRUBY_VERSION)
+      verifier = Sqreen::SqreenSignedVerifier.new
+      Sqreen::Weave.logger.debug('Rules signature enabled')
+    else
+      Sqreen::Weave.logger.debug('Rules signature disabled')
+    end
+
     ### force clean instrumentation callback list
     @hooks = []
     ### for each rule description
@@ -94,6 +151,25 @@ class Sqreen::Weave::Legacy::Instrumentation
       next unless rule_callback
       ### attach framework to callback
       rule_callback.framework = framework
+      ## create metric
+      Sqreen::Weave.logger.debug { "Adding rule metric: #{rule_callback}" }
+      [:pre, :post, :failing].each do |whence|
+        next unless rule_callback.send(:"#{whence}?")
+        metric_name = "sq.#{rule['name']}.#{whence}"
+        metrics_engine.create_metric(
+          'name' => metric_name,
+          'period' => 60,
+          'kind' => 'Binning',
+          'options' => { 'base' => 2.0, 'factor' => 0.1 },
+        )
+        metric_name = "req.sq.#{rule['name']}.#{whence}"
+        metrics_engine.create_metric(
+          'name' => metric_name,
+          'period' => 60,
+          'kind' => 'Binning',
+          'options' => { 'base' => 2.0, 'factor' => 0.1 },
+        )
+      end
       ### install callback, observing priority
       Sqreen::Weave.logger.debug { "Adding rule callback: #{rule_callback}" }
       @hooks << add_callback("weave,rule=#{rule['name']}", rule_callback, strategy)
@@ -107,30 +183,62 @@ class Sqreen::Weave::Legacy::Instrumentation
     end
 
     metrics_engine = self.metrics_engine
+    lvl_2_metric = @lvl_2_metric
+    lvl_2_max_reqs = @lvl_2_max_reqs
+
     request_hook = Sqreen::Graft::Hook['Sqreen::ShrinkWrap#call', strategy]
     @hooks << request_hook
     request_hook.add do
-      before('wave,meta,request', rank: -100000, mandatory: true) do |_call|
+      before('wave,meta,request', rank: -100000, mandatory: true) do |call|
         next unless Sqreen.instrumentation_ready
 
-        uuid = SecureRandom.uuid
-        now = Sqreen::Graft::Timer.read
+        # shrinkwrap_timer = Sqreen::Graft::Timer.new('weave,shrinkwrap')
+        # shrinkwrap_timer.start
+
+        request_timer = Sqreen::Graft::Timer.new("request")
+        request_timer.start
+        sqreen_timer = Sqreen::Graft::Timer.new("sqreen")
+        budget = Sqreen::Weave::Budget.current
+
+        timed_level = (Sqreen.features['perf_level'] || 1).to_i
+        timed_level = 1 if !HAS_SQ_DETAILED_METRICS && timed_level == 2
+        if timed_level == 2 && lvl_2_metric.num_requests >= lvl_2_max_reqs
+          timed_level = 1
+          Sqreen::Weave.logger.debug { "Reducing timed level to 1 (#{lvl_2_metric.num_requests} reqs accumulated)" }
+        end
+
+        Sqreen::Weave.logger.debug { "request budget: #{budget} timed.level: #{timed_level}" } if Sqreen::Weave.logger.debug?
+
+        route_found = nil
+        if timed_level >= 2
+          rack_env, = call.args
+          rack_request = Rack::Request.new(rack_env) if rack_env
+
+          # TODO: Rails engines
+          # TODO: Struct
+          # TODO: Sinatra
+          # TODO: Rack?
+          Rails.application.routes.router.recognize(rack_request) do |route, params|
+            route = ActionDispatch::Routing::RouteWrapper.new(route)
+            route_found = { name: route.name, verb: route.verb, path: route.path, reqs: route.reqs, params: params }
+          end if defined?(Rails) && Rails.application && defined?(ActionDispatch::Routing::RouteWrapper)
+        end
+
+        # TODO: Struct
         Thread.current[:sqreen_http_request] = {
-          uuid: uuid,
-          start_time: now,
-          time_budget: Sqreen.performance_budget,
+          request_timer: request_timer,
+          sqreen_timer: sqreen_timer,
           time_budget_expended: false,
-          timer: Sqreen::Graft::Timer.new("request_#{uuid}"),
+          time_budget: budget,
           timed_callbacks: [],
           timed_hooks: [],
-          timed_hooks_before: [],
-          timed_hooks_after: [],
-          timed_hooks_raised: [],
-          timed_hooks_ensured: [],
+          timed_level: timed_level,
           skipped_callbacks: [],
+          route: ("#{route_found[:verb]} #{route_found[:path]}" if route_found),
+          # timed_shrinkwrap: shrinkwrap_timer,
         }
 
-        Sqreen::Weave.logger.debug { "request.uuid: #{uuid}" }
+        # shrinkwrap_timer.stop
       end
 
       ensured('weave,meta,request', rank: 100000, mandatory: true) do |_call|
@@ -138,105 +246,89 @@ class Sqreen::Weave::Legacy::Instrumentation
 
         next if request.nil?
 
+        timed_level = request[:timed_level]
+        req_detailed = SqDetailedMetrics::Request.new if timed_level >= 2
+
+        # shrinkwrap_timer = request[:timed_shrinkwrap]
+        # shrinkwrap_timer.start
+
         Thread.current[:sqreen_http_request] = nil
-        now = Sqreen::Graft::Timer.read
-        utc_now = Time.now.utc
-
-        request[:timed_callbacks].each do |timer|
-          duration = timer.duration
-          # stop = now
-          # start = now - duration
-          timer.tag =~ /weave,rule=(.*)$/ && rule = $1
-          timer.tag =~ /@before/ && whence = 'pre'
-          timer.tag =~ /@after/  && whence = 'post'
-          timer.tag =~ /@raised/ && whence = 'failing'
-
-          next unless rule && whence
-
-          # Sqreen::PerformanceNotifications.notify(rule, whence, start, stop)
-          # => BinnedMetrics
-          metric_name = "sq.#{rule}.#{whence}"
-          unless metrics_engine.metric?(metric_name)
-            metrics_engine.create_metric(
-              'name' => metric_name,
-              'period' => 60,
-              'kind' => 'Binning',
-              'options' => { 'base' => 2.0, 'factor' => 0.1 },
-            )
+        request_timer = request[:request_timer]
+        now = request_timer.stop
+
+        if timed_level >= 1
+          request[:timed_callbacks].each do |timer|
+            duration_ms = timer.duration * 1000.0
+            # XXX: the timer tag should have this structured data;
+            # it would be better than recomputing this for every measurement
+            metric_name = ::Sqreen::Weave::Legacy::Instrumentation.tag_to_metric_name(timer.tag)
+
+            next unless metric_name
+
+            metrics_engine.update(metric_name, now, nil, duration_ms)
+            duration_ms *= -1.0 if timer.conditions_passed
+            req_detailed.add_measurement metric_name, duration_ms if req_detailed
           end
-          metrics_engine.update(metric_name, now, nil, duration * 1000)
         end
 
-        metric_name = 'sq.hooks_pre.pre'
-        duration = request[:timed_hooks_before].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
-        end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-
-        metric_name = 'sq.hooks_post.post'
-        duration = request[:timed_hooks_after].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
-        end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-
-        metric_name = 'sq.hooks_failing.failing'
-        duration = request[:timed_hooks_raised].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
+        sqreen_timer = request[:sqreen_timer]
+        Sqreen::Weave.logger.debug do
+          "request sqreen_timer.total: #{'%.03fus' % (sqreen_timer.duration * 1_000_000)}"
+        end if Sqreen::Weave.logger.debug?
+        Sqreen::Weave.logger.debug do
+          "request request_timer.total: #{'%.03fus' % (request_timer.duration * 1_000_000)}"
+        end if Sqreen::Weave.logger.debug?
+
+        if timed_level >= 1 && Sqreen::Weave.logger.debug?
+          skipped = request[:skipped_callbacks].map(&:name)
+          Sqreen::Weave.logger.debug { "request callback.skipped.count: #{skipped.count}" } if Sqreen::Weave.logger.debug?
+          timings = request[:timed_callbacks].map(&:to_s)
+          total = request[:timed_callbacks].sum(&:duration)
+          Sqreen::Weave.logger.debug { "request callback.total: #{'%.03fus' % (total * 1_000_000)} callback.count: #{timings.count}" } if Sqreen::Weave.logger.debug?
+          timings = request[:timed_hooks].map(&:to_s)
+          total = request[:timed_hooks].sum(&:duration)
+          Sqreen::Weave.logger.debug { "request hook.total: #{'%.03fus' % (total * 1_000_000)} hook.count: #{timings.count}" } if Sqreen::Weave.logger.debug?
         end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-
-        skipped = request[:skipped_callbacks].map(&:name)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.skipped.size: #{skipped.count} callback.skipped: [#{skipped.join(', ')}]" }
-        timer = request[:timer]
-        total = timer.duration
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} timer.total: #{'%.03fus' % (total * 1_000_000)} timer.size: #{timer.size}" }
-        timings = request[:timed_callbacks].map(&:to_s)
-        total = request[:timed_callbacks].sum(&:duration)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.total: #{'%.03fus' % (total * 1_000_000)} callback.timings: [#{timings.join(', ')}]" }
-        timings = request[:timed_hooks].map(&:to_s)
-        total = request[:timed_hooks].sum(&:duration)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} hook.total: #{'%.03fus' % (total * 1_000_000)} hook.timings: [#{timings.join(', ')}]" }
-
-        skipped = request[:skipped_callbacks].map(&:name)
-        skipped_rule_name = skipped.first && skipped.first =~ /weave,rule=(.*)$/ && $1
-        Sqreen.observations_queue.push(['request_overtime', skipped_rule_name, 1, utc_now]) if skipped_rule_name
-
-        sqreen_request_duration = total
-        Sqreen.observations_queue.push(['sq', nil, sqreen_request_duration * 1000, utc_now])
-
-        request_duration = now - request[:start_time]
-        Sqreen.observations_queue.push(['req', nil, request_duration * 1000, utc_now])
+
+        overtime_cb = ::Sqreen::Weave::Legacy::Instrumentation.tag_to_metric_name(request[:overtime_cb]) \
+                      if request[:overtime_cb]
+        metrics_engine.update('request_overtime', now, overtime_cb, 1) if overtime_cb
+
+        sqreen_request_duration = sqreen_timer.duration * 1000.0
+        metrics_engine.update('sq', now, nil, sqreen_request_duration)
+
+        request_duration = request_timer.duration * 1000.0
+        metrics_engine.update('req', now, nil, request_duration)
 
         sqreen_request_ratio = (sqreen_request_duration * 100.0) / (request_duration - sqreen_request_duration)
-        Sqreen.observations_queue.push(['pct', nil, sqreen_request_ratio, utc_now])
+        metrics_engine.update('pct', now, nil, sqreen_request_ratio)
+        Sqreen::Weave.logger.debug { "request sqreen_timer.ratio: #{'%.03f' % (sqreen_request_ratio / 100.0)}" } if Sqreen::Weave.logger.debug?
+
+        if req_detailed
+          req_detailed.route = request[:route]
+          req_detailed.overtime_cb = overtime_cb if overtime_cb
+          req_detailed.add_measurement 'sq', sqreen_request_duration
+          req_detailed.add_measurement 'req', request_duration
+
+          metrics_engine.update(REQ_LVL_2_METRIC, now, nil, req_detailed)
+        end
+
+        # shrinkwrap_timer.stop
+
+        # duration = shrinkwrap_timer.duration
+        # metrics_engine.update('sq.shrinkwrap', now, nil, duration * 1000)
       end
     end.install
 
     ### globally declare instrumentation ready
     Sqreen.instrumentation_ready = true
+    Sqreen::Weave.logger.info { "Instrumentation activated" }
   end
 
   # needed by Sqreen::Runner
   def remove_all_callbacks
     Sqreen.instrumentation_ready = false
+    Sqreen::Weave.logger.info { "Instrumentation deactivated" }
 
     loop do
       hook = @hooks.pop
@@ -253,6 +345,15 @@ class Sqreen::Weave::Legacy::Instrumentation
     klass = callback.klass
     method = callback.method
 
+    if (call_count = ENV['SQREEN_DEBUG_CALL_COUNT'])
+      call_count = JSON.parse(call_count)
+      if callback.respond_to?(:rule_name) && call_count.key?(callback.rule_name)
+        count = call_count[callback.rule_name]
+        Sqreen::Weave.logger.debug { "override rule: #{callback.rule_name} call_count: #{count.inspect}" }
+        callback.instance_eval { @call_count_interval = call_count[callback.rule_name] }
+      end
+    end
+
     if Sqreen::Graft::HookPoint.new("#{klass}.#{method}").exist?
       hook_point = "#{klass}.#{method}"
     elsif Sqreen::Graft::HookPoint.new("#{klass}##{method}").exist?
@@ -268,14 +369,14 @@ class Sqreen::Weave::Legacy::Instrumentation
     hook = Sqreen::Graft::Hook[hook_point, strategy]
     hook.add do
       if callback.pre?
-        before(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
+        use_flow = block || callback.is_a?(::Sqreen::Conditionable)
+        before(rule, rank: priority, mandatory: !callback.overtimeable, flow: use_flow, ignore: ignore) do |call, b|
           next unless Thread.current[:sqreen_http_request]
 
           i = call.instance
           a = call.args
           r = call.remaining
 
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i}" }
           begin
             ret = callback.pre(i, a, r)
           rescue StandardError => e
@@ -286,17 +387,30 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i} => return=#{ret.inspect}" }
-
-          case ret[:status]
-          when :skip, 'skip'
-            throw(b, b.return(ret[:new_return_value]).break!) if ret.key?(:new_return_value)
-          when :modify_args, 'modify_args'
-            throw(b, b.args(ret[:args]))
-          when :raise, 'raise'
-            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
-            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          end unless ret.nil?
+
+          next if ret.nil? || !ret.is_a?(Hash)
+
+          throw_val =
+            case ret[:status]
+            when :skip, 'skip'
+              b.return(ret[:new_return_value]).break! if ret.key?(:new_return_value)
+            when :modify_args, 'modify_args'
+              b.args(ret[:args])
+            when :raise, 'raise'
+              if ret.key?(:exception)
+                b.raise(ret[:exception])
+              else
+                b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required."))
+              end
+            end if block
+
+          if ret && ret[:passed_conditions]
+            throw_val ||= b.noop
+            throw_val.passed_conditions!
+          end
+          next unless throw_val
+          throw_val.break! if ret[:skip_rem_cbs]
+          throw(b, throw_val)
         end
       end
 
@@ -309,7 +423,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
 
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i}" }
           begin
             ret = callback.post(v, i, a, r)
           rescue StandardError => e
@@ -320,15 +433,22 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i} => return=#{ret.inspect}" }
-
-          case ret[:status]
-          when :override, 'override'
-            throw(b, b.return(ret[:new_return_value])) if ret.key?(:new_return_value)
-          when :raise, 'raise'
-            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
-            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          end unless ret.nil?
+
+          throw_val =
+            case ret[:status]
+            when :override, 'override'
+              b.return(ret[:new_return_value]) if ret.key?(:new_return_value)
+            when :raise, 'raise'
+              b.raise(ret[:exception]) if ret.key?(:exception)
+              b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required."))
+            end unless ret.nil? || !ret.is_a?(Hash) || !block
+
+          if ret && ret[:passed_conditions]
+            throw_val ||= b.noop
+            throw_val.passed_conditions!
+          end
+          next unless throw_val
+          throw(b, throw_val)
         end
       end
 
@@ -341,7 +461,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
 
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i}" }
           begin
             ret = callback.failing(e, i, a, r)
           rescue StandardError => e
@@ -352,23 +471,30 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i} => return=#{ret.inspect}" }
-
-          raise e if ret.nil?
-
-          case ret[:status]
-          when :override, 'override'
-            throw(b, b.return(ret[:new_return_value])) if ret.key?(:new_return_value)
-          when :retry, 'retry'
-            throw(b, b.retry)
-          when :raise, 'raise'
-            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
-            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          when :reraise, 'reraise'
-            throw(b, b.raise(e))
-          else
-            throw(b, b.raise(e))
-          end unless ret.nil?
+
+          throw(b, b.raise(e)) if ret.nil? || !ret.is_a?(Hash)
+
+          throw_val =
+            case ret[:status]
+            when :override, 'override'
+              b.return(ret[:new_return_value]) if ret.key?(:new_return_value)
+            when :retry, 'retry'
+              b.retry
+            when :raise, 'raise'
+              b.raise(ret[:exception]) if ret.key?(:exception)
+              b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required."))
+            when :reraise, 'reraise'
+              b.raise(e)
+            else
+              b.raise(e)
+            end unless ret.nil? || !ret.is_a?(Hash) || !block
+
+          if ret && ret[:passed_conditions]
+            throw_val ||= b.noop
+            throw_val.passed_conditions!
+          end
+          next unless throw_val
+          throw(b, throw_val)
         end
       end
     end.install
@@ -403,4 +529,20 @@ class Sqreen::Weave::Legacy::Instrumentation
       Sqreen::Rules::RunUserActions.new(Sqreen, :auth_track, 1),
     ]
   end
+
+  def self.tag_to_metric_name(tag)
+    cached = @cache_tag_to_metric[tag]
+    return cached unless cached.nil?
+
+    tag =~ /weave,rule=(.*)$/ && rule = $1 and # rubocop:disable Style/AndOr
+      (tag =~ /@before/ && whence = 'pre' or # rubocop:disable Style/AndOr
+        tag =~ /@after/  && whence = 'post' or # rubocop:disable Style/AndOr
+        tag =~ /@raised/ && whence = 'failing' or # rubocop:disable Style/AndOr
+        tag =~ /@ensured/ && whence = 'finally')
+
+    @cache_tag_to_metric[tag] =
+      rule && whence ? "sq.#{rule}.#{whence}" : false
+  end
+
+  @cache_tag_to_metric = {}
 end