RubyGems - sqreen - Versions diffs - 1.20.1-java → 1.22.0-java - Mend

sqreen 1.20.1-java → 1.22.0-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +40 -0
data/lib/sqreen/actions/block_user.rb +1 -1
data/lib/sqreen/actions/redirect_ip.rb +1 -1
data/lib/sqreen/actions/redirect_user.rb +1 -1
data/lib/sqreen/attack_detected.html +1 -2
data/lib/sqreen/condition_evaluator.rb +8 -2
data/lib/sqreen/configuration.rb +1 -1
data/lib/sqreen/deferred_logger.rb +50 -14
data/lib/sqreen/deliveries/batch.rb +8 -1
data/lib/sqreen/dependency/detector.rb +11 -3
data/lib/sqreen/dependency/new_relic.rb +10 -1
data/lib/sqreen/deprecation.rb +38 -0
data/lib/sqreen/ecosystem.rb +123 -0
data/lib/sqreen/ecosystem/databases/database_connection_data.rb +23 -0
data/lib/sqreen/ecosystem/databases/mongo.rb +39 -0
data/lib/sqreen/ecosystem/databases/mysql.rb +54 -0
data/lib/sqreen/ecosystem/databases/postgres.rb +51 -0
data/lib/sqreen/ecosystem/databases/redis.rb +36 -0
data/lib/sqreen/ecosystem/dispatch_table.rb +43 -0
data/lib/sqreen/ecosystem/exception_reporting.rb +28 -0
data/lib/sqreen/ecosystem/http/net_http.rb +50 -0
data/lib/sqreen/ecosystem/http/rack_request.rb +39 -0
data/lib/sqreen/ecosystem/loggable.rb +13 -0
data/lib/sqreen/ecosystem/messaging/bunny.rb +61 -0
data/lib/sqreen/ecosystem/messaging/kafka.rb +70 -0
data/lib/sqreen/ecosystem/messaging/kinesis.rb +66 -0
data/lib/sqreen/ecosystem/messaging/sqs.rb +68 -0
data/lib/sqreen/ecosystem/module_api.rb +30 -0
data/lib/sqreen/ecosystem/module_api/event_listener.rb +18 -0
data/lib/sqreen/ecosystem/module_api/instrumentation.rb +23 -0
data/lib/sqreen/ecosystem/module_api/message_producer.rb +57 -0
data/lib/sqreen/ecosystem/module_api/signal_producer.rb +24 -0
data/lib/sqreen/ecosystem/module_api/tracing.rb +45 -0
data/lib/sqreen/ecosystem/module_api/tracing/client_data.rb +31 -0
data/lib/sqreen/ecosystem/module_api/tracing/consumer_data.rb +13 -0
data/lib/sqreen/ecosystem/module_api/tracing/messaging_data.rb +35 -0
data/lib/sqreen/ecosystem/module_api/tracing/producer_data.rb +13 -0
data/lib/sqreen/ecosystem/module_api/tracing/server_data.rb +27 -0
data/lib/sqreen/ecosystem/module_api/tracing_id_generation.rb +16 -0
data/lib/sqreen/ecosystem/module_api/transaction_storage.rb +71 -0
data/lib/sqreen/ecosystem/module_registry.rb +48 -0
data/lib/sqreen/ecosystem/tracing/modules/client.rb +35 -0
data/lib/sqreen/ecosystem/tracing/modules/consumer.rb +35 -0
data/lib/sqreen/ecosystem/tracing/modules/determine_ip.rb +28 -0
data/lib/sqreen/ecosystem/tracing/modules/producer.rb +35 -0
data/lib/sqreen/ecosystem/tracing/modules/server.rb +30 -0
data/lib/sqreen/ecosystem/tracing/sampler.rb +160 -0
data/lib/sqreen/ecosystem/tracing/sampling_configuration.rb +150 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_client.rb +53 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_consumer.rb +56 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_producer.rb +56 -0
data/lib/sqreen/ecosystem/tracing/signals/tracing_server.rb +53 -0
data/lib/sqreen/ecosystem/tracing_broker.rb +101 -0
data/lib/sqreen/ecosystem/tracing_id_setup.rb +34 -0
data/lib/sqreen/ecosystem/transaction_storage.rb +64 -0
data/lib/sqreen/ecosystem/util/call_writers_from_init.rb +13 -0
data/lib/sqreen/ecosystem_integration.rb +81 -0
data/lib/sqreen/ecosystem_integration/around_callbacks.rb +89 -0
data/lib/sqreen/ecosystem_integration/instrumentation_service.rb +38 -0
data/lib/sqreen/ecosystem_integration/request_lifecycle_tracking.rb +58 -0
data/lib/sqreen/ecosystem_integration/signal_consumption.rb +35 -0
data/lib/sqreen/events/request_record.rb +0 -1
data/lib/sqreen/frameworks/generic.rb +36 -1
data/lib/sqreen/frameworks/rails.rb +0 -7
data/lib/sqreen/frameworks/request_recorder.rb +2 -0
data/lib/sqreen/graft/call.rb +85 -18
data/lib/sqreen/graft/callback.rb +1 -1
data/lib/sqreen/graft/hook.rb +192 -88
data/lib/sqreen/graft/hook_point.rb +18 -11
data/lib/sqreen/kit/signals/specialized/sqreen_exception.rb +2 -0
data/lib/sqreen/legacy/instrumentation.rb +22 -10
data/lib/sqreen/legacy/old_event_submission_strategy.rb +9 -2
data/lib/sqreen/log.rb +3 -2
data/lib/sqreen/log/loggable.rb +1 -0
data/lib/sqreen/logger.rb +24 -0
data/lib/sqreen/metrics_store.rb +11 -0
data/lib/sqreen/null_logger.rb +22 -0
data/lib/sqreen/remote_command.rb +4 -0
data/lib/sqreen/rules.rb +8 -4
data/lib/sqreen/rules/blacklist_ips_cb.rb +2 -2
data/lib/sqreen/rules/custom_error_cb.rb +3 -3
data/lib/sqreen/rules/rule_cb.rb +2 -0
data/lib/sqreen/rules/waf_cb.rb +3 -3
data/lib/sqreen/runner.rb +47 -7
data/lib/sqreen/session.rb +2 -0
data/lib/sqreen/signals/conversions.rb +6 -1
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/weave/budget.rb +46 -0
data/lib/sqreen/weave/legacy/instrumentation.rb +252 -109
data/lib/sqreen/worker.rb +6 -2
metadata +60 -11
data/lib/sqreen/encoding_sanitizer.rb +0 -27

data/lib/sqreen/rules/custom_error_cb.rb CHANGED

@@ -55,12 +55,12 @@ module Sqreen
       end
       def respond_page
-        page = open(File.join(File.dirname(__FILE__), '../attack_detected.html'))
+        @page ||= File.open(File.join(File.dirname(__FILE__), '../attack_detected.html'), 'rb', &:read)
         headers = {
           'Content-Type' => 'text/html',
-          'Content-Length' => page.size.to_s,
+          'Content-Length' => @page.size.to_s,
         }
-        [@status_code, headers, page]
+        [@status_code, headers, [@page]]
       end
     end
   end

data/lib/sqreen/rules/rule_cb.rb CHANGED

@@ -3,6 +3,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/deprecation'
 require 'sqreen/framework_cb'
 require 'sqreen/context'
 require 'sqreen/conditionable'
@@ -109,6 +110,7 @@ module Sqreen
         )
         true
       end
+      Sqreen::Deprecation.deprecate(instance_method(:overtime!))
     end
   end
 end

data/lib/sqreen/rules/waf_cb.rb CHANGED

@@ -11,7 +11,7 @@ require 'sqreen/safe_json'
 require 'sqreen/exception'
 require 'sqreen/util/capper'
 require 'sqreen/dependency/libsqreen'
-require 'sqreen/encoding_sanitizer'
+require 'sqreen/kit/string_sanitizer'
 module Sqreen
   module Rules
@@ -60,7 +60,7 @@ module Sqreen
         end
         # 0 for using defaults (PW_RUN_TIMEOUT)
-        @max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
+        @max_run_budget_us = (@data['values'].fetch('max_budget_ms', 0) * 1000).to_i
         @max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
         Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
@@ -82,7 +82,7 @@ module Sqreen
         waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
           h[e] = capper.call(b.resolve(*env))
         end
-        waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
+        waf_args = Sqreen::Kit::StringSanitizer.sanitize(waf_args)
         if budget
           rem_budget_s = budget - (Sqreen.time - start)

data/lib/sqreen/runner.rb CHANGED

@@ -14,6 +14,7 @@ require 'sqreen/log'
 require 'sqreen/agent_message'
 require 'sqreen/rules'
 require 'sqreen/session'
+require 'sqreen/version'
 require 'sqreen/remote_command'
 require 'sqreen/capped_queue'
 require 'sqreen/metrics_store'
@@ -26,6 +27,7 @@ require 'sqreen/legacy/instrumentation'
 require 'sqreen/call_countable'
 require 'sqreen/weave/legacy/instrumentation'
 require 'sqreen/kit/configuration'
+require 'sqreen/ecosystem_integration'
 module Sqreen
   @features = {}
@@ -52,10 +54,6 @@ module Sqreen
       @queue ||= CappedQueue.new(MAX_QUEUE_LENGTH)
     end
-    def update_queue(queue)
-      @queue = queue
-    end
     def observations_queue
       @observations_queue ||= CappedQueue.new(MAX_OBS_QUEUE_LENGTH)
     end
@@ -104,8 +102,8 @@ module Sqreen
     # we may want to do that in a thread in order to prevent delaying app
     # startup
     # set_at_exit do not place a global at_exit (used for testing)
+    # @param [Sqreen::Frameworks::GenericFramework] framework
     def initialize(configuration, framework, set_at_exit = true, session_class = Sqreen::Session)
-      Sqreen.update_queue(CappedQueue.new(MAX_QUEUE_LENGTH))
       @logged_out_tried = false
       @configuration = configuration
       @framework = framework
@@ -132,6 +130,7 @@ module Sqreen
       Sqreen::Kit::Configuration.ingestion_url = chosen_endpoints.ingestion.url
       Sqreen::Kit::Configuration.certificate_store = chosen_endpoints.ingestion.ca_store
       Sqreen::Kit::Configuration.proxy_url = @proxy_url
+      Sqreen::Kit::Configuration.default_source = "sqreen:agent:ruby:#{Sqreen::VERSION}"
       register_exit_cb if set_at_exit
@@ -168,6 +167,10 @@ module Sqreen
       end
       self.features = wanted_features
+      @ecosystem_integration = EcosystemIntegration.new(framework, Sqreen.queue)
+      framework.req_start_cb = @ecosystem_integration.method(:request_start)
+      framework.req_end_cb = @ecosystem_integration.method(:request_end)
       # Ensure a deliverer is there unless features have set it first
       self.deliverer ||= Deliveries::Simple.new(session)
       context_infos = {}
@@ -268,6 +271,10 @@ module Sqreen
       rulespack_id, rules = load_rules(context_infos)
       @framework.instrument_when_ready!(instrumenter, rules)
       Sqreen.log.info 'Instrumentation set up'
+      # XXX: ecosystem instrumentation should likely be deferred
+      #      the same way the rest might be
+      @ecosystem_integration.init
       rulespack_id.to_s
     end
@@ -387,11 +394,35 @@ module Sqreen
     def change_performance_budget(budget, _context_infos = {})
       return false unless budget.nil? || budget.to_f > 0
-      prev = Sqreen.performance_budget
-      Sqreen.update_performance_budget(budget)
+      if @configuration.get(:weave)
+        prev = Sqreen::Weave::Budget.current
+        prev = prev.to_h if prev
+        budget_s = budget.to_f / 1000 if budget
+        feature = features['performance_budget']
+        if feature
+          budget_s = feature['threshold'] if feature.key?('threshold')
+          ratio = feature['ratio'] if feature.key?('ratio')
+        end
+        Sqreen::Weave::Budget.update(threshold: budget_s, ratio: ratio)
+      else
+        prev = Sqreen.performance_budget
+        Sqreen.update_performance_budget(budget)
+      end
       { :was => prev }
     end
+    # @param [String] tracing_id_prefix
+    # @param [Array<Hash{String=>Object}>] sampling_config
+    def tracing_enable(tracing_id_prefix, sampling_config, _context_infos = {})
+      @ecosystem_integration.handle_tracing_command(tracing_id_prefix, sampling_config)
+      { status: true }
+    end
     def upload_bundle(_context_infos = {})
       t = Time.now
       session.post_bundle(RuntimeInfos.dependencies_signature, RuntimeInfos.dependencies)
@@ -478,6 +509,15 @@ module Sqreen
       logout
     end
+    def restart(_context_infos = {})
+      shutdown
+      heartbeat_delay = @heartbeat_delay
+      Thread.new do
+        sleep(2 * heartbeat_delay)
+        Sqreen::Worker.start(Sqreen.framework)
+      end
+    end
     def logout(retrying = true)
       return unless session
       Sqreen.log.debug("Logging out")

data/lib/sqreen/session.rb CHANGED

@@ -249,8 +249,10 @@ module Sqreen
       end
       Sqreen.log.info 'Login success.'
       @session_id = res['session_id']
       Kit::Configuration.session_key = @session_id
       Kit.reset
       Sqreen.log.debug { "received session_id #{@session_id}" }
       Sqreen.logged_in = true
       res

data/lib/sqreen/signals/conversions.rb CHANGED

@@ -118,6 +118,7 @@ module Sqreen
           signals += req_rec.processed_sdk_calls
                             .select { |h| h[:name] == :track }
                             .map { |h| convert_track(h) }
+          signals += (observed[:signals] || [])
           trace = Kit::Signals::Specialized::HttpTrace.new(
             actor: Kit::Signals::Actor.new(
@@ -137,7 +138,7 @@ module Sqreen
           trace
         end
-        # @param [Array<Sqreen::Kit::Signals::Signal|Sqreen::Kit::Signals::Trace>] batch
+        # @return [Array<Sqreen::Kit::Signals::Signal|Sqreen::Kit::Signals::Trace>]
         def convert_batch(batch)
           batch.map do |evt|
             case evt
@@ -147,6 +148,10 @@ module Sqreen
               convert_metric_sample(evt)
             when RequestRecord
               convert_req_record(evt)
+            when Sqreen::Kit::Signals::Signal
+              evt
+            when Sqreen::Kit::Signals::Trace
+              evt
             else
               raise NotImplementedError, "Unknown type of event in batch: #{evt}"
             end

data/lib/sqreen/version.rb CHANGED

@@ -4,5 +4,5 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 module Sqreen
-  VERSION = '1.20.1'.freeze
+  VERSION = '1.22.0'.freeze
 end

data/lib/sqreen/weave/budget.rb ADDED

@@ -0,0 +1,46 @@
+# typed: false
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/log/loggable'
+require 'sqreen/weave'
+class Sqreen::Weave::Budget
+  include Sqreen::Log::Loggable
+  def initialize(threshold, ratio = nil)
+    @threshold = threshold
+    @ratio = ratio
+  end
+  def static?
+    threshold && !ratio
+  end
+  def dynamic?
+    threshold && ratio
+  end
+  attr_reader :threshold
+  attr_reader :ratio
+  def to_h
+    { threshold: threshold, ratio: ratio }
+  end
+  class << self
+    attr_reader :current
+    def update(opts = nil)
+      Sqreen::Weave.logger.info("budget update:#{opts.inspect}")
+      return @current = nil if opts.nil? || opts.empty?
+      threshold = opts[:threshold]
+      ratio = opts[:ratio]
+      @current = new(threshold, ratio)
+    end
+  end
+end

data/lib/sqreen/weave/legacy/instrumentation.rb CHANGED

@@ -4,10 +4,13 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 require 'sqreen/weave/legacy'
+require 'sqreen/weave/budget'
+require 'sqreen/graft/hook'
 require 'sqreen/graft/hook_point'
 require 'sqreen/call_countable'
 require 'sqreen/rules'
 require 'sqreen/rules/record_request_context'
+require 'sqreen/sqreen_signed_verifier'
 class Sqreen::Weave::Legacy::Instrumentation
   attr_accessor :metrics_engine
@@ -60,6 +63,27 @@ class Sqreen::Weave::Legacy::Instrumentation
       'options' => opts[:perf_metric_percent] || { 'base' => 1.3, 'factor' => 1.0 },
     )
+    metrics_engine.create_metric(
+      'name' => 'req.sq.hook.overhead',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+    metrics_engine.create_metric(
+      'name' => 'sq.hook.overhead',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+    metrics_engine.create_metric(
+      'name' => 'sq.shrinkwrap',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
     Sqreen.thread_cpu_time? && metrics_engine.create_metric(
       'name' => 'sq_thread_cpu_pct',
       'period' => opts[:period] || 60,
@@ -72,18 +96,79 @@ class Sqreen::Weave::Legacy::Instrumentation
   def instrument!(rules, framework)
     Sqreen::Weave.logger.debug { "#{rules.count} rules, #{framework}" }
+    # TODO: make config able to see if value was user-set or default
     strategy = Sqreen.config_get(:weave_strategy)
+    # TODO: factor generic hint system out
+    # TODO: factor those hint definitions to dependency
+    strategy_hints = []
     if strategy == :prepend && !Module.respond_to?(:prepend)
-      Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable, falling back to :chain" }
-      strategy = :chain
-    elsif strategy == :chain && Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
-      Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} unavailable with scout_apm >= 2.5.2, switching to :prepend" }
-      strategy = :prepend
+      Sqreen::Weave.logger.debug { "strategy: #{strategy.inspect} unavailable, falling back to :chain" }
+      strategy_hints << [:chain, 'Module.respond_to?(:prepend)', 'false']
+    end
+    if Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('< 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      Sqreen::Weave.logger.debug { "strategy: :prepend unavailable with scout_apm < 2.5.2, switching to :chain" }
+      strategy_hints << [:chain, 'scout_apm', '< 2.5.2']
+    end
+    if Gem::Specification.select { |s| s.name == 'scout_apm' && Gem::Requirement.new('>= 2.5.2').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      Sqreen::Weave.logger.debug { "strategy: :chain unavailable with scout_apm >= 2.5.2, switching to :prepend" }
+      strategy_hints << [:prepend, 'scout_apm', '>= 2.5.2']
+    end
+    if Gem::Specification.select { |s| s.name == 'ddtrace' && Gem::Requirement.new('< 0.27').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      Sqreen::Weave.logger.debug { "strategy: :prepend unavailable with ddtrace < 0.27, switching to :chain" }
+      strategy_hints << [:chain, 'ddtrace', '< 0.27']
+    end
+    if Gem::Specification.select { |s| s.name == 'ddtrace' && Gem::Requirement.new('>= 0.27').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      Sqreen::Weave.logger.debug { "strategy: :chain unavailable with ddtrace >= 0.27, switching to :prepend" }
+      strategy_hints << [:prepend, 'ddtrace', '>= 0.27']
+    end
+    if Gem::Specification.select { |s| s.name == 'skylight' && Gem::Requirement.new('< 5.0.0.beta').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      Sqreen::Weave.logger.debug { "strategy: :prepend unavailable with skylight < 5.0.0.beta, switching to :chain" }
+      strategy_hints << [:chain, 'skylight', '< 5.0.0.beta']
+    end
+    if Gem::Specification.select { |s| s.name == 'skylight' && Gem::Requirement.new('>= 5.0.0.beta').satisfied_by?(Gem::Version.new(s.version)) }.any?
+      Sqreen::Weave.logger.debug { "strategy: :chain unavailable with skylight >= 5.0.0.beta, switching to :prepend" }
+      strategy_hints << [:prepend, 'skylight', '>= 5.0.0.beta']
+    end
+    if strategy_hints.map(&:first).uniq.count > 1
+      raise Sqreen::Exception, "conflicting instrumentation strategies: #{strategy_hints.inspect}"
+    end
+    if strategy_hints.map(&:first).uniq.count == 1 && strategy != strategy_hints.first.first
+      was = strategy
+      strategy = strategy_hints.first.first
+      Sqreen::Weave.logger.warn { "strategy: #{strategy.inspect} was: #{was.inspect} hints: #{strategy_hints.inspect}" }
+    else
+      Sqreen::Weave.logger.info { "strategy: #{strategy.inspect}" }
     end
-    Sqreen::Weave.logger.debug { "strategy: #{strategy.inspect}" }
     ### set up rule signature verifier
     verifier = nil
+    # TODO: check for JRuby via dependency
+    # TODO: reinstate signatures for JRuby
+    if Sqreen.config_get(:rules_verify_signature) == true && !defined?(::JRUBY_VERSION)
+      verifier = Sqreen::SqreenSignedVerifier.new
+      Sqreen::Weave.logger.debug('rules: signature status: enabled')
+    else
+      Sqreen::Weave.logger.debug('rules: signature status: disabled')
+    end
+    if verifier
+      invalid_rules = rules.reject do |rule|
+        valid = verifier.verify(rule)
+        if valid
+          Sqreen::Weave.logger.debug { "rule: #{rule['name']} signed: true result: ok" }
+        else
+          Sqreen::Weave.logger.error { "rule: #{rule['name']} singed: true result: fail" }
+        end
+      end
+      if invalid_rules.any?
+        Sqreen::Weave.logger.error { "weave: instrument status: abort reason: signature result: fail" }
+        raise Sqreen::Exception, "Signature error: rules: #{invalid_rules.map { |r| r['name'] }.inspect}"
+      else
+        Sqreen::Weave.logger.info { "weave: instrument rules: signed result: ok" }
+      end
+    end
     ### force clean instrumentation callback list
     @hooks = []
     ### for each rule description
@@ -94,6 +179,25 @@ class Sqreen::Weave::Legacy::Instrumentation
       next unless rule_callback
       ### attach framework to callback
       rule_callback.framework = framework
+      ## create metric
+      Sqreen::Weave.logger.debug { "Adding rule metric: #{rule_callback}" }
+      [:pre, :post, :failing].each do |whence|
+        next unless rule_callback.send(:"#{whence}?")
+        metric_name = "sq.#{rule['name']}.#{whence}"
+        metrics_engine.create_metric(
+          'name' => metric_name,
+          'period' => 60,
+          'kind' => 'Binning',
+          'options' => { 'base' => 2.0, 'factor' => 0.1 },
+        )
+        metric_name = "req.sq.#{rule['name']}.#{whence}"
+        metrics_engine.create_metric(
+          'name' => metric_name,
+          'period' => 60,
+          'kind' => 'Binning',
+          'options' => { 'base' => 2.0, 'factor' => 0.1 },
+        )
+      end
       ### install callback, observing priority
       Sqreen::Weave.logger.debug { "Adding rule callback: #{rule_callback}" }
       @hooks << add_callback("weave,rule=#{rule['name']}", rule_callback, strategy)
@@ -107,30 +211,43 @@ class Sqreen::Weave::Legacy::Instrumentation
     end
     metrics_engine = self.metrics_engine
     request_hook = Sqreen::Graft::Hook['Sqreen::ShrinkWrap#call', strategy]
     @hooks << request_hook
     request_hook.add do
       before('wave,meta,request', rank: -100000, mandatory: true) do |_call|
         next unless Sqreen.instrumentation_ready
-        uuid = SecureRandom.uuid
-        now = Sqreen::Graft::Timer.read
+        # shrinkwrap_timer = Sqreen::Graft::Timer.new('weave,shrinkwrap')
+        # shrinkwrap_timer.start
+        request_timer = Sqreen::Graft::Timer.new("request")
+        request_timer.start
+        sqreen_timer = Sqreen::Graft::Timer.new("sqreen")
+        budget = Sqreen::Weave::Budget.current
+        request_budget_threshold = budget.threshold if budget
+        request_budget_ratio = budget.ratio if budget
+        request_budget_is_dynamic = !request_budget_ratio.nil?
+        request_budget = !request_budget_threshold.nil?
+        timed_level = (Sqreen.features['perf_level'] || 1).to_i
+        Sqreen::Weave.logger.debug { "request budget: #{budget.to_h} timed.level: #{timed_level}" } if Sqreen::Weave.logger.debug?
         Thread.current[:sqreen_http_request] = {
-          uuid: uuid,
-          start_time: now,
-          time_budget: Sqreen.performance_budget,
+          request_timer: request_timer,
+          sqreen_timer: sqreen_timer,
           time_budget_expended: false,
-          timer: Sqreen::Graft::Timer.new("request_#{uuid}"),
+          time_budget_threshold: request_budget_threshold,
+          time_budget_dynamic: request_budget_is_dynamic,
+          time_budget_ratio: request_budget_ratio,
+          time_budget: request_budget,
           timed_callbacks: [],
           timed_hooks: [],
-          timed_hooks_before: [],
-          timed_hooks_after: [],
-          timed_hooks_raised: [],
-          timed_hooks_ensured: [],
+          timed_level: timed_level,
           skipped_callbacks: [],
+          # timed_shrinkwrap: shrinkwrap_timer,
         }
-        Sqreen::Weave.logger.debug { "request.uuid: #{uuid}" }
+        # shrinkwrap_timer.stop
       end
       ensured('weave,meta,request', rank: 100000, mandatory: true) do |_call|
@@ -138,105 +255,118 @@ class Sqreen::Weave::Legacy::Instrumentation
         next if request.nil?
+        # shrinkwrap_timer = request[:timed_shrinkwrap]
+        # shrinkwrap_timer.start
         Thread.current[:sqreen_http_request] = nil
-        now = Sqreen::Graft::Timer.read
-        utc_now = Time.now.utc
-        request[:timed_callbacks].each do |timer|
-          duration = timer.duration
-          # stop = now
-          # start = now - duration
-          timer.tag =~ /weave,rule=(.*)$/ && rule = $1
-          timer.tag =~ /@before/ && whence = 'pre'
-          timer.tag =~ /@after/  && whence = 'post'
-          timer.tag =~ /@raised/ && whence = 'failing'
-          next unless rule && whence
-          # Sqreen::PerformanceNotifications.notify(rule, whence, start, stop)
-          # => BinnedMetrics
-          metric_name = "sq.#{rule}.#{whence}"
-          unless metrics_engine.metric?(metric_name)
-            metrics_engine.create_metric(
-              'name' => metric_name,
-              'period' => 60,
-              'kind' => 'Binning',
-              'options' => { 'base' => 2.0, 'factor' => 0.1 },
-            )
+        request_timer = request[:request_timer]
+        now = request_timer.stop
+        if request[:timed_level] >= 1
+          request[:timed_callbacks].each do |timer|
+            duration = timer.duration
+            timer.tag =~ /weave,rule=(.*)$/ && rule = $1
+            next unless rule
+            whence = case timer.tag
+                     when /@before/ then 'pre'
+                     when /@after/  then 'post'
+                     when /@raised/ then 'failing'
+                     end
+            next unless whence
+            metric_name = "sq.#{rule}.#{whence}"
+            metrics_engine.update(metric_name, now, nil, duration * 1000)
+            # Sqreen.observations_queue.push([metric_name, nil, duration * 1000, utc_now])
           end
-          metrics_engine.update(metric_name, now, nil, duration * 1000)
-        end
-        metric_name = 'sq.hooks_pre.pre'
-        duration = request[:timed_hooks_before].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
-        end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-        metric_name = 'sq.hooks_post.post'
-        duration = request[:timed_hooks_after].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
-        end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-        metric_name = 'sq.hooks_failing.failing'
-        duration = request[:timed_hooks_raised].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
+          request[:timed_hooks].each do |timer|
+            duration = timer.duration
+            metrics_engine.update('sq.hook.overhead', now, nil, duration * 1000)
+            # Sqreen.observations_queue.push(['sq.hook.overhead', nil, duration * 1000, utc_now])
+          end
         end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-        skipped = request[:skipped_callbacks].map(&:name)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.skipped.size: #{skipped.count} callback.skipped: [#{skipped.join(', ')}]" }
-        timer = request[:timer]
-        total = timer.duration
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} timer.total: #{'%.03fus' % (total * 1_000_000)} timer.size: #{timer.size}" }
-        timings = request[:timed_callbacks].map(&:to_s)
-        total = request[:timed_callbacks].sum(&:duration)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.total: #{'%.03fus' % (total * 1_000_000)} callback.timings: [#{timings.join(', ')}]" }
-        timings = request[:timed_hooks].map(&:to_s)
-        total = request[:timed_hooks].sum(&:duration)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} hook.total: #{'%.03fus' % (total * 1_000_000)} hook.timings: [#{timings.join(', ')}]" }
+        sqreen_timer = request[:sqreen_timer]
+        total = sqreen_timer.duration
+        Sqreen::Weave.logger.debug { "request sqreen_timer.total: #{'%.03fus' % (total * 1_000_000)}" } if Sqreen::Weave.logger.debug?
+        total = request_timer.duration
+        Sqreen::Weave.logger.debug { "request request_timer.total: #{'%.03fus' % (total * 1_000_000)}" } if Sqreen::Weave.logger.debug?
+        if request[:timed_level] >= 2
+          skipped = request[:skipped_callbacks].map(&:name)
+          Sqreen::Weave.logger.debug { "request callback.skipped.count: #{skipped.count}" } if Sqreen::Weave.logger.debug?
+          timings = request[:timed_callbacks].map(&:to_s)
+          total = request[:timed_callbacks].sum(&:duration)
+          Sqreen::Weave.logger.debug { "request callback.total: #{'%.03fus' % (total * 1_000_000)} callback.count: #{timings.count}" } if Sqreen::Weave.logger.debug?
+          timings = request[:timed_hooks].map(&:to_s)
+          total = request[:timed_hooks].sum(&:duration)
+          Sqreen::Weave.logger.debug { "request hook.total: #{'%.03fus' % (total * 1_000_000)} hook.count: #{timings.count}" } if Sqreen::Weave.logger.debug?
+        end
         skipped = request[:skipped_callbacks].map(&:name)
         skipped_rule_name = skipped.first && skipped.first =~ /weave,rule=(.*)$/ && $1
-        Sqreen.observations_queue.push(['request_overtime', skipped_rule_name, 1, utc_now]) if skipped_rule_name
+        metrics_engine.update('request_overtime', now, skipped_rule_name, 1) if skipped_rule_name
+        # Sqreen.observations_queue.push(['request_overtime', skipped_rule_name, 1, utc_now]) if skipped_rule_name
-        sqreen_request_duration = total
-        Sqreen.observations_queue.push(['sq', nil, sqreen_request_duration * 1000, utc_now])
+        sqreen_request_duration = sqreen_timer.duration
+        metrics_engine.update('sq', now, nil, sqreen_request_duration * 1000)
+        # Sqreen.observations_queue.push(['sq', nil, sqreen_request_duration * 1000, utc_now])
-        request_duration = now - request[:start_time]
-        Sqreen.observations_queue.push(['req', nil, request_duration * 1000, utc_now])
+        request_duration = request_timer.duration
+        metrics_engine.update('req', now, nil, request_duration * 1000)
+        # Sqreen.observations_queue.push(['req', nil, request_duration * 1000, utc_now])
         sqreen_request_ratio = (sqreen_request_duration * 100.0) / (request_duration - sqreen_request_duration)
-        Sqreen.observations_queue.push(['pct', nil, sqreen_request_ratio, utc_now])
+        metrics_engine.update('pct', now, nil, sqreen_request_ratio)
+        # Sqreen.observations_queue.push(['pct', nil, sqreen_request_ratio, utc_now])
+        Sqreen::Weave.logger.debug { "request sqreen_timer.ratio: #{'%.03f' % (sqreen_request_ratio / 100.0)}" } if Sqreen::Weave.logger.debug?
+        if request[:timed_level] >= 2
+          tallies = Hash.new(0.0)
+          request[:timed_callbacks].each do |timer|
+            duration = timer.duration
+            timer.tag =~ /weave,rule=(.*)$/ && rule = $1
+            next unless rule
+            whence = case timer.tag
+                     when /@before/ then 'pre'
+                     when /@after/  then 'post'
+                     when /@raised/ then 'failing'
+                     end
+            next unless whence
+            metric_name = "req.sq.#{rule}.#{whence}"
+            tallies[metric_name] += duration
+          end
+          tallies.each do |metric_name, duration|
+            metrics_engine.update(metric_name, now, nil, duration * 1000)
+            # Sqreen.observations_queue.push([metric_name, nil, duration * 1000, utc_now])
+          end
+          duration = request[:timed_hooks].sum(&:duration)
+          metrics_engine.update('req.sq.hook.overhead', now, nil, duration * 1000)
+          # Sqreen.observations_queue.push(['req.sq.hook.overhead', nil, duration * 1000, utc_now])
+        end
+        # shrinkwrap_timer.stop
+        # duration = shrinkwrap_timer.duration
+        # metrics_engine.update('sq.shrinkwrap', now, nil, duration * 1000)
       end
     end.install
     ### globally declare instrumentation ready
     Sqreen.instrumentation_ready = true
+    Sqreen::Weave.logger.info { "Instrumentation activated" }
   end
   # needed by Sqreen::Runner
   def remove_all_callbacks
     Sqreen.instrumentation_ready = false
+    Sqreen::Weave.logger.info { "Instrumentation deactivated" }
     loop do
       hook = @hooks.pop
@@ -253,6 +383,15 @@ class Sqreen::Weave::Legacy::Instrumentation
     klass = callback.klass
     method = callback.method
+    if (call_count = ENV['SQREEN_DEBUG_CALL_COUNT'])
+      call_count = JSON.parse(call_count)
+      if callback.respond_to?(:rule_name) && call_count.key?(callback.rule_name)
+        count = call_count[callback.rule_name]
+        Sqreen::Weave.logger.debug { "override rule: #{callback.rule_name} call_count: #{count.inspect}" }
+        callback.instance_eval { @call_count_interval = call_count[callback.rule_name] }
+      end
+    end
     if Sqreen::Graft::HookPoint.new("#{klass}.#{method}").exist?
       hook_point = "#{klass}.#{method}"
     elsif Sqreen::Graft::HookPoint.new("#{klass}##{method}").exist?
@@ -275,7 +414,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i}" }
           begin
             ret = callback.pre(i, a, r)
           rescue StandardError => e
@@ -286,17 +424,26 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i} => return=#{ret.inspect}" }
-          case ret[:status]
-          when :skip, 'skip'
-            throw(b, b.return(ret[:new_return_value]).break!) if ret.key?(:new_return_value)
-          when :modify_args, 'modify_args'
-            throw(b, b.args(ret[:args]))
-          when :raise, 'raise'
-            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
-            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          end unless ret.nil? || !ret.is_a?(Hash)
+          next if ret.nil? || !ret.is_a?(Hash)
+          throw_val =
+            case ret[:status]
+            when :skip, 'skip'
+              b.return(ret[:new_return_value]).break! if ret.key?(:new_return_value)
+            when :modify_args, 'modify_args'
+              b.args(ret[:args])
+            when :raise, 'raise'
+              if ret.key?(:exception)
+                b.raise(ret[:exception])
+              else
+                b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required."))
+              end
+            end
+          next unless throw_val
+          throw_val.break! if ret[:skip_rem_cbs]
+          throw(b, throw_val)
         end
       end
@@ -309,7 +456,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i}" }
           begin
             ret = callback.post(v, i, a, r)
           rescue StandardError => e
@@ -320,7 +466,6 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i} => return=#{ret.inspect}" }
           case ret[:status]
           when :override, 'override'
@@ -341,7 +486,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i}" }
           begin
             ret = callback.failing(e, i, a, r)
           rescue StandardError => e
@@ -352,7 +496,6 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i} => return=#{ret.inspect}" }
           throw(b, b.raise(e)) if ret.nil? || !ret.is_a?(Hash)