RubyGems - sqreen - Versions diffs - 1.21.0.beta2 → 1.21.0.beta3 - Mend

sqreen 1.21.0.beta2 → 1.21.0.beta3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -7
data/lib/sqreen/actions/block_user.rb +1 -1
data/lib/sqreen/actions/redirect_ip.rb +1 -1
data/lib/sqreen/actions/redirect_user.rb +1 -1
data/lib/sqreen/condition_evaluator.rb +9 -2
data/lib/sqreen/conditionable.rb +24 -6
data/lib/sqreen/configuration.rb +1 -1
data/lib/sqreen/deferred_logger.rb +50 -14
data/lib/sqreen/deprecation.rb +38 -0
data/lib/sqreen/ecosystem_integration.rb +7 -1
data/lib/sqreen/ecosystem_integration/around_callbacks.rb +20 -10
data/lib/sqreen/ecosystem_integration/instrumentation_service.rb +8 -4
data/lib/sqreen/events/request_record.rb +0 -1
data/lib/sqreen/frameworks/generic.rb +9 -0
data/lib/sqreen/frameworks/rails.rb +0 -7
data/lib/sqreen/frameworks/request_recorder.rb +2 -0
data/lib/sqreen/graft/call.rb +99 -21
data/lib/sqreen/graft/callback.rb +1 -1
data/lib/sqreen/graft/hook.rb +212 -100
data/lib/sqreen/graft/hook_point.rb +18 -11
data/lib/sqreen/legacy/instrumentation.rb +22 -10
data/lib/sqreen/legacy/old_event_submission_strategy.rb +2 -1
data/lib/sqreen/log.rb +3 -2
data/lib/sqreen/log/loggable.rb +1 -0
data/lib/sqreen/logger.rb +24 -0
data/lib/sqreen/metrics.rb +1 -0
data/lib/sqreen/metrics/req_detailed.rb +41 -0
data/lib/sqreen/metrics_store.rb +11 -0
data/lib/sqreen/null_logger.rb +22 -0
data/lib/sqreen/remote_command.rb +1 -0
data/lib/sqreen/rules.rb +8 -4
data/lib/sqreen/rules/blacklist_ips_cb.rb +2 -2
data/lib/sqreen/rules/custom_error_cb.rb +3 -3
data/lib/sqreen/rules/rule_cb.rb +4 -2
data/lib/sqreen/rules/waf_cb.rb +3 -3
data/lib/sqreen/runner.rb +46 -5
data/lib/sqreen/version.rb +1 -1
data/lib/sqreen/weave/budget.rb +35 -0
data/lib/sqreen/weave/legacy/instrumentation.rb +274 -132
data/lib/sqreen/worker.rb +6 -2
metadata +22 -6
data/lib/sqreen/encoding_sanitizer.rb +0 -27

data/lib/sqreen/rules/custom_error_cb.rb CHANGED

@@ -55,12 +55,12 @@ module Sqreen
       end
       def respond_page
-        page = open(File.join(File.dirname(__FILE__), '../attack_detected.html'))
+        @page ||= File.read(File.join(File.dirname(__FILE__), '../attack_detected.html'))
         headers = {
           'Content-Type' => 'text/html',
-          'Content-Length' => page.size.to_s,
+          'Content-Length' => @page.size.to_s,
         }
-        [@status_code, headers, page]
+        [@status_code, headers, [@page]]
       end
     end
   end

data/lib/sqreen/rules/rule_cb.rb CHANGED

@@ -3,6 +3,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/deprecation'
 require 'sqreen/framework_cb'
 require 'sqreen/context'
 require 'sqreen/conditionable'
@@ -89,9 +90,9 @@ module Sqreen
         framework.observe(:sqreen_exceptions, payload)
       end
-      # Recommend taking an action (optionnally adding more data/context)
+      # Recommend taking an action (optionally adding more data/context)
       #
-      # This will format the requested action and optionnally
+      # This will format the requested action and optionally
       # override it if it should not be taken (should not block for example)
       def advise_action(action, additional_data = {})
         return if action.nil? && additional_data.empty?
@@ -109,6 +110,7 @@ module Sqreen
         )
         true
       end
+      Sqreen::Deprecation.deprecate(instance_method(:overtime!))
     end
   end
 end

data/lib/sqreen/rules/waf_cb.rb CHANGED

@@ -11,7 +11,7 @@ require 'sqreen/safe_json'
 require 'sqreen/exception'
 require 'sqreen/util/capper'
 require 'sqreen/dependency/libsqreen'
-require 'sqreen/encoding_sanitizer'
+require 'sqreen/kit/string_sanitizer'
 module Sqreen
   module Rules
@@ -60,7 +60,7 @@ module Sqreen
         end
         # 0 for using defaults (PW_RUN_TIMEOUT)
-        @max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
+        @max_run_budget_us = (@data['values'].fetch('max_budget_ms', 0) * 1000).to_i
         @max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
         Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
@@ -82,7 +82,7 @@ module Sqreen
         waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
           h[e] = capper.call(b.resolve(*env))
         end
-        waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
+        waf_args = Sqreen::Kit::StringSanitizer.sanitize(waf_args)
         if budget
           rem_budget_s = budget - (Sqreen.time - start)

data/lib/sqreen/runner.rb CHANGED

@@ -141,7 +141,12 @@ module Sqreen
       end
       if @configuration.get(:weave) || needs_weave.call
-        @instrumenter = Sqreen::Weave::Legacy::Instrumentation.new(metrics_engine)
+        # XXX: don't get updated
+        opts = {
+          perf_req_metrics_max_reqs: Sqreen.features['perf_req_metrics_max_reqs'],
+          perf_req_metrics_period: Sqreen.features['perf_req_metrics_period'],
+        }
+        @instrumenter = Sqreen::Weave::Legacy::Instrumentation.new(metrics_engine, opts)
       else
         @instrumenter = Sqreen::Legacy::Instrumentation.new(metrics_engine)
       end
@@ -167,7 +172,9 @@ module Sqreen
       end
       self.features = wanted_features
-      @ecosystem_integration = EcosystemIntegration.new(framework, Sqreen.queue)
+      @ecosystem_integration = EcosystemIntegration.new(framework,
+                                                        Sqreen.queue,
+                                                        create_binning_metric_proc)
       framework.req_start_cb = @ecosystem_integration.method(:request_start)
       framework.req_end_cb = @ecosystem_integration.method(:request_end)
@@ -274,7 +281,7 @@ module Sqreen
       # XXX: ecosystem instrumentation should likely be deferred
       #      the same way the rest might be
-      @ecosystem_integration.init
+      @ecosystem_integration.init unless Sqreen.features['disable_ecosystem']
       rulespack_id.to_s
     end
@@ -394,8 +401,18 @@ module Sqreen
     def change_performance_budget(budget, _context_infos = {})
       return false unless budget.nil? || budget.to_f > 0
-      prev = Sqreen.performance_budget
-      Sqreen.update_performance_budget(budget)
+      if @configuration.get(:weave)
+        prev = Sqreen::Weave::Budget.current
+        prev = prev.to_h if prev
+        budget_s = budget.to_f / 1000.0 if budget
+        Sqreen::Weave::Budget.update(threshold: budget_s)
+      else
+        prev = Sqreen.performance_budget
+        Sqreen.update_performance_budget(budget)
+      end
       { :was => prev }
     end
@@ -492,6 +509,15 @@ module Sqreen
       logout
     end
+    def restart(_context_infos = {})
+      shutdown
+      heartbeat_delay = @heartbeat_delay
+      Thread.new do
+        sleep(2 * heartbeat_delay)
+        Sqreen::Worker.start(Sqreen.framework)
+      end
+    end
     def logout(retrying = true)
       return unless session
       Sqreen.log.debug("Logging out")
@@ -529,6 +555,21 @@ module Sqreen
     private
+    def create_binning_metric_proc
+      lambda do |metric_name|
+        return if @metrics_engine.metric?(metric_name)
+        metrics_engine.create_metric(
+          'name' => metric_name,
+          'kind' => 'Binning',
+          'period' => Sqreen.features['performance_metrics_period'] || 60,
+          'options' => {
+            'base' => Sqreen.features['perf_base'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_BASE,
+            'factor' => Sqreen.features['perf_unit'] || PerformanceNotifications::BinnedMetrics::DEFAULT_PERF_UNIT,
+          },
+        )
+      end
+    end
     def post_endpoint_testing_msgs(chosen_endpoints)
       chosen_endpoints.messages.each do |msg|
         session.post_agent_message(@framework, msg)

data/lib/sqreen/version.rb CHANGED

@@ -4,5 +4,5 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 module Sqreen
-  VERSION = '1.21.0.beta2'.freeze
+  VERSION = '1.21.0.beta3'.freeze
 end

data/lib/sqreen/weave/budget.rb ADDED

@@ -0,0 +1,35 @@
+# typed: false
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+require 'sqreen/log/loggable'
+require 'sqreen/weave'
+class Sqreen::Weave::Budget
+  include Sqreen::Log::Loggable
+  def initialize(threshold)
+    @threshold = threshold
+  end
+  attr_reader :threshold
+  def to_h
+    { threshold: threshold }
+  end
+  class << self
+    attr_reader :current
+    def update(opts = nil)
+      Sqreen::Weave.logger.info("budget update:#{opts.inspect}")
+      return @current = nil if opts.nil? || opts.empty?
+      threshold = opts[:threshold]
+      @current = threshold
+    end
+  end
+end

data/lib/sqreen/weave/legacy/instrumentation.rb CHANGED

@@ -4,23 +4,41 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 require 'sqreen/weave/legacy'
+require 'sqreen/weave/budget'
+require 'sqreen/graft/hook'
 require 'sqreen/graft/hook_point'
 require 'sqreen/call_countable'
 require 'sqreen/rules'
 require 'sqreen/rules/record_request_context'
+require 'sqreen/sqreen_signed_verifier'
+require 'rack/request'
+begin
+  require 'sq_detailed_metrics'
+rescue LoadError => _e # rubocop:disable Lint/HandleExceptions
+end
 class Sqreen::Weave::Legacy::Instrumentation
   attr_accessor :metrics_engine
+  HAS_SQ_DETAILED_METRICS = defined?(::SqDetailedMetrics)
+  REQ_LVL_2_METRIC = 'request_level_perf'.freeze
   def initialize(metrics_engine, opts = {})
     Sqreen::Weave.logger.debug { "#{self.class.name}#initialize #{metrics_engine}" }
     @hooks = []
+    unless HAS_SQ_DETAILED_METRICS
+      Sqreen::Weave.logger.warn { "Detailed metrics are unavailable" }
+    end
     self.metrics_engine = metrics_engine
     ### bail out if no metric engine
     return if metrics_engine.nil?
+    # XXX: these metric definitions do not support change of opts
+    #      due to features updates!
     ### init metric to count calls to sqreen
     metrics_engine.create_metric(
       'name' => 'sqreen_call_counts',
@@ -60,12 +78,42 @@ class Sqreen::Weave::Legacy::Instrumentation
       'options' => opts[:perf_metric_percent] || { 'base' => 1.3, 'factor' => 1.0 },
     )
+    metrics_engine.create_metric(
+      'name' => 'req.sq.hook.overhead',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+    metrics_engine.create_metric(
+      'name' => 'sq.hook.overhead',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+    metrics_engine.create_metric(
+      'name' => 'sq.shrinkwrap',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
     Sqreen.thread_cpu_time? && metrics_engine.create_metric(
       'name' => 'sq_thread_cpu_pct',
       'period' => opts[:period] || 60,
       'kind' => 'Binning',
       'options' => opts[:perf_metric_percent] || { 'base' => 1.3, 'factor' => 1.0 },
     )
+    if HAS_SQ_DETAILED_METRICS # rubocop:disable Style/GuardClause
+      @lvl_2_metric = metrics_engine.create_metric(
+        'name' => REQ_LVL_2_METRIC,
+        'period' => opts[:perf_req_metrics_period] || 60,
+        'kind' => 'ReqDetailed',
+      )
+      @lvl_2_max_reqs = opts[:perf_req_metrics_max_reqs] || 100
+    end
   end
   # needed by Sqreen::Runner#initialize
@@ -84,6 +132,15 @@ class Sqreen::Weave::Legacy::Instrumentation
     ### set up rule signature verifier
     verifier = nil
+    if Sqreen.features['rules_signature'] &&
+       Sqreen.config_get(:rules_verify_signature) == true &&
+       !defined?(::JRUBY_VERSION)
+      verifier = Sqreen::SqreenSignedVerifier.new
+      Sqreen::Weave.logger.debug('Rules signature enabled')
+    else
+      Sqreen::Weave.logger.debug('Rules signature disabled')
+    end
     ### force clean instrumentation callback list
     @hooks = []
     ### for each rule description
@@ -94,6 +151,25 @@ class Sqreen::Weave::Legacy::Instrumentation
       next unless rule_callback
       ### attach framework to callback
       rule_callback.framework = framework
+      ## create metric
+      Sqreen::Weave.logger.debug { "Adding rule metric: #{rule_callback}" }
+      [:pre, :post, :failing].each do |whence|
+        next unless rule_callback.send(:"#{whence}?")
+        metric_name = "sq.#{rule['name']}.#{whence}"
+        metrics_engine.create_metric(
+          'name' => metric_name,
+          'period' => 60,
+          'kind' => 'Binning',
+          'options' => { 'base' => 2.0, 'factor' => 0.1 },
+        )
+        metric_name = "req.sq.#{rule['name']}.#{whence}"
+        metrics_engine.create_metric(
+          'name' => metric_name,
+          'period' => 60,
+          'kind' => 'Binning',
+          'options' => { 'base' => 2.0, 'factor' => 0.1 },
+        )
+      end
       ### install callback, observing priority
       Sqreen::Weave.logger.debug { "Adding rule callback: #{rule_callback}" }
       @hooks << add_callback("weave,rule=#{rule['name']}", rule_callback, strategy)
@@ -107,30 +183,62 @@ class Sqreen::Weave::Legacy::Instrumentation
     end
     metrics_engine = self.metrics_engine
+    lvl_2_metric = @lvl_2_metric
+    lvl_2_max_reqs = @lvl_2_max_reqs
     request_hook = Sqreen::Graft::Hook['Sqreen::ShrinkWrap#call', strategy]
     @hooks << request_hook
     request_hook.add do
-      before('wave,meta,request', rank: -100000, mandatory: true) do |_call|
+      before('wave,meta,request', rank: -100000, mandatory: true) do |call|
         next unless Sqreen.instrumentation_ready
-        uuid = SecureRandom.uuid
-        now = Sqreen::Graft::Timer.read
+        # shrinkwrap_timer = Sqreen::Graft::Timer.new('weave,shrinkwrap')
+        # shrinkwrap_timer.start
+        request_timer = Sqreen::Graft::Timer.new("request")
+        request_timer.start
+        sqreen_timer = Sqreen::Graft::Timer.new("sqreen")
+        budget = Sqreen::Weave::Budget.current
+        timed_level = (Sqreen.features['perf_level'] || 1).to_i
+        timed_level = 1 if !HAS_SQ_DETAILED_METRICS && timed_level == 2
+        if timed_level == 2 && lvl_2_metric.num_requests >= lvl_2_max_reqs
+          timed_level = 1
+          Sqreen::Weave.logger.debug { "Reducing timed level to 1 (#{lvl_2_metric.num_requests} reqs accumulated)" }
+        end
+        Sqreen::Weave.logger.debug { "request budget: #{budget} timed.level: #{timed_level}" } if Sqreen::Weave.logger.debug?
+        route_found = nil
+        if timed_level >= 2
+          rack_env, = call.args
+          rack_request = Rack::Request.new(rack_env) if rack_env
+          # TODO: Rails engines
+          # TODO: Struct
+          # TODO: Sinatra
+          # TODO: Rack?
+          Rails.application.routes.router.recognize(rack_request) do |route, params|
+            route = ActionDispatch::Routing::RouteWrapper.new(route)
+            route_found = { name: route.name, verb: route.verb, path: route.path, reqs: route.reqs, params: params }
+          end if defined?(Rails) && Rails.application && defined?(ActionDispatch::Routing::RouteWrapper)
+        end
+        # TODO: Struct
         Thread.current[:sqreen_http_request] = {
-          uuid: uuid,
-          start_time: now,
-          time_budget: Sqreen.performance_budget,
+          request_timer: request_timer,
+          sqreen_timer: sqreen_timer,
           time_budget_expended: false,
-          timer: Sqreen::Graft::Timer.new("request_#{uuid}"),
+          time_budget: budget,
           timed_callbacks: [],
           timed_hooks: [],
-          timed_hooks_before: [],
-          timed_hooks_after: [],
-          timed_hooks_raised: [],
-          timed_hooks_ensured: [],
+          timed_level: timed_level,
           skipped_callbacks: [],
+          route: ("#{route_found[:verb]} #{route_found[:path]}" if route_found),
+          # timed_shrinkwrap: shrinkwrap_timer,
         }
-        Sqreen::Weave.logger.debug { "request.uuid: #{uuid}" }
+        # shrinkwrap_timer.stop
       end
       ensured('weave,meta,request', rank: 100000, mandatory: true) do |_call|
@@ -138,105 +246,89 @@ class Sqreen::Weave::Legacy::Instrumentation
         next if request.nil?
+        timed_level = request[:timed_level]
+        req_detailed = SqDetailedMetrics::Request.new if timed_level >= 2
+        # shrinkwrap_timer = request[:timed_shrinkwrap]
+        # shrinkwrap_timer.start
         Thread.current[:sqreen_http_request] = nil
-        now = Sqreen::Graft::Timer.read
-        utc_now = Time.now.utc
-        request[:timed_callbacks].each do |timer|
-          duration = timer.duration
-          # stop = now
-          # start = now - duration
-          timer.tag =~ /weave,rule=(.*)$/ && rule = $1
-          timer.tag =~ /@before/ && whence = 'pre'
-          timer.tag =~ /@after/  && whence = 'post'
-          timer.tag =~ /@raised/ && whence = 'failing'
-          next unless rule && whence
-          # Sqreen::PerformanceNotifications.notify(rule, whence, start, stop)
-          # => BinnedMetrics
-          metric_name = "sq.#{rule}.#{whence}"
-          unless metrics_engine.metric?(metric_name)
-            metrics_engine.create_metric(
-              'name' => metric_name,
-              'period' => 60,
-              'kind' => 'Binning',
-              'options' => { 'base' => 2.0, 'factor' => 0.1 },
-            )
+        request_timer = request[:request_timer]
+        now = request_timer.stop
+        if timed_level >= 1
+          request[:timed_callbacks].each do |timer|
+            duration_ms = timer.duration * 1000.0
+            # XXX: the timer tag should have this structured data;
+            # it would be better than recomputing this for every measurement
+            metric_name = ::Sqreen::Weave::Legacy::Instrumentation.tag_to_metric_name(timer.tag)
+            next unless metric_name
+            metrics_engine.update(metric_name, now, nil, duration_ms)
+            duration_ms *= -1.0 if timer.conditions_passed
+            req_detailed.add_measurement metric_name, duration_ms if req_detailed
           end
-          metrics_engine.update(metric_name, now, nil, duration * 1000)
         end
-        metric_name = 'sq.hooks_pre.pre'
-        duration = request[:timed_hooks_before].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
-        end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-        metric_name = 'sq.hooks_post.post'
-        duration = request[:timed_hooks_after].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
-        end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-        metric_name = 'sq.hooks_failing.failing'
-        duration = request[:timed_hooks_raised].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
+        sqreen_timer = request[:sqreen_timer]
+        Sqreen::Weave.logger.debug do
+          "request sqreen_timer.total: #{'%.03fus' % (sqreen_timer.duration * 1_000_000)}"
+        end if Sqreen::Weave.logger.debug?
+        Sqreen::Weave.logger.debug do
+          "request request_timer.total: #{'%.03fus' % (request_timer.duration * 1_000_000)}"
+        end if Sqreen::Weave.logger.debug?
+        if timed_level >= 1 && Sqreen::Weave.logger.debug?
+          skipped = request[:skipped_callbacks].map(&:name)
+          Sqreen::Weave.logger.debug { "request callback.skipped.count: #{skipped.count}" } if Sqreen::Weave.logger.debug?
+          timings = request[:timed_callbacks].map(&:to_s)
+          total = request[:timed_callbacks].sum(&:duration)
+          Sqreen::Weave.logger.debug { "request callback.total: #{'%.03fus' % (total * 1_000_000)} callback.count: #{timings.count}" } if Sqreen::Weave.logger.debug?
+          timings = request[:timed_hooks].map(&:to_s)
+          total = request[:timed_hooks].sum(&:duration)
+          Sqreen::Weave.logger.debug { "request hook.total: #{'%.03fus' % (total * 1_000_000)} hook.count: #{timings.count}" } if Sqreen::Weave.logger.debug?
         end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-        skipped = request[:skipped_callbacks].map(&:name)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.skipped.size: #{skipped.count} callback.skipped: [#{skipped.join(', ')}]" }
-        timer = request[:timer]
-        total = timer.duration
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} timer.total: #{'%.03fus' % (total * 1_000_000)} timer.size: #{timer.size}" }
-        timings = request[:timed_callbacks].map(&:to_s)
-        total = request[:timed_callbacks].sum(&:duration)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.total: #{'%.03fus' % (total * 1_000_000)} callback.timings: [#{timings.join(', ')}]" }
-        timings = request[:timed_hooks].map(&:to_s)
-        total = request[:timed_hooks].sum(&:duration)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} hook.total: #{'%.03fus' % (total * 1_000_000)} hook.timings: [#{timings.join(', ')}]" }
-        skipped = request[:skipped_callbacks].map(&:name)
-        skipped_rule_name = skipped.first && skipped.first =~ /weave,rule=(.*)$/ && $1
-        Sqreen.observations_queue.push(['request_overtime', skipped_rule_name, 1, utc_now]) if skipped_rule_name
-        sqreen_request_duration = total
-        Sqreen.observations_queue.push(['sq', nil, sqreen_request_duration * 1000, utc_now])
-        request_duration = now - request[:start_time]
-        Sqreen.observations_queue.push(['req', nil, request_duration * 1000, utc_now])
+        overtime_cb = ::Sqreen::Weave::Legacy::Instrumentation.tag_to_metric_name(request[:overtime_cb]) \
+                      if request[:overtime_cb]
+        metrics_engine.update('request_overtime', now, overtime_cb, 1) if overtime_cb
+        sqreen_request_duration = sqreen_timer.duration * 1000.0
+        metrics_engine.update('sq', now, nil, sqreen_request_duration)
+        request_duration = request_timer.duration * 1000.0
+        metrics_engine.update('req', now, nil, request_duration)
         sqreen_request_ratio = (sqreen_request_duration * 100.0) / (request_duration - sqreen_request_duration)
-        Sqreen.observations_queue.push(['pct', nil, sqreen_request_ratio, utc_now])
+        metrics_engine.update('pct', now, nil, sqreen_request_ratio)
+        Sqreen::Weave.logger.debug { "request sqreen_timer.ratio: #{'%.03f' % (sqreen_request_ratio / 100.0)}" } if Sqreen::Weave.logger.debug?
+        if req_detailed
+          req_detailed.route = request[:route]
+          req_detailed.overtime_cb = overtime_cb if overtime_cb
+          req_detailed.add_measurement 'sq', sqreen_request_duration
+          req_detailed.add_measurement 'req', request_duration
+          metrics_engine.update(REQ_LVL_2_METRIC, now, nil, req_detailed)
+        end
+        # shrinkwrap_timer.stop
+        # duration = shrinkwrap_timer.duration
+        # metrics_engine.update('sq.shrinkwrap', now, nil, duration * 1000)
       end
     end.install
     ### globally declare instrumentation ready
     Sqreen.instrumentation_ready = true
+    Sqreen::Weave.logger.info { "Instrumentation activated" }
   end
   # needed by Sqreen::Runner
   def remove_all_callbacks
     Sqreen.instrumentation_ready = false
+    Sqreen::Weave.logger.info { "Instrumentation deactivated" }
     loop do
       hook = @hooks.pop
@@ -253,6 +345,15 @@ class Sqreen::Weave::Legacy::Instrumentation
     klass = callback.klass
     method = callback.method
+    if (call_count = ENV['SQREEN_DEBUG_CALL_COUNT'])
+      call_count = JSON.parse(call_count)
+      if callback.respond_to?(:rule_name) && call_count.key?(callback.rule_name)
+        count = call_count[callback.rule_name]
+        Sqreen::Weave.logger.debug { "override rule: #{callback.rule_name} call_count: #{count.inspect}" }
+        callback.instance_eval { @call_count_interval = call_count[callback.rule_name] }
+      end
+    end
     if Sqreen::Graft::HookPoint.new("#{klass}.#{method}").exist?
       hook_point = "#{klass}.#{method}"
     elsif Sqreen::Graft::HookPoint.new("#{klass}##{method}").exist?
@@ -268,14 +369,14 @@ class Sqreen::Weave::Legacy::Instrumentation
     hook = Sqreen::Graft::Hook[hook_point, strategy]
     hook.add do
       if callback.pre?
-        before(rule, rank: priority, mandatory: !callback.overtimeable, flow: block, ignore: ignore) do |call, b|
+        use_flow = block || callback.is_a?(::Sqreen::Conditionable)
+        before(rule, rank: priority, mandatory: !callback.overtimeable, flow: use_flow, ignore: ignore) do |call, b|
           next unless Thread.current[:sqreen_http_request]
           i = call.instance
           a = call.args
           r = call.remaining
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i}" }
           begin
             ret = callback.pre(i, a, r)
           rescue StandardError => e
@@ -286,17 +387,30 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i} => return=#{ret.inspect}" }
-          case ret[:status]
-          when :skip, 'skip'
-            throw(b, b.return(ret[:new_return_value]).break!) if ret.key?(:new_return_value)
-          when :modify_args, 'modify_args'
-            throw(b, b.args(ret[:args]))
-          when :raise, 'raise'
-            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
-            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          end unless ret.nil? || !ret.is_a?(Hash)
+          next if ret.nil? || !ret.is_a?(Hash)
+          throw_val =
+            case ret[:status]
+            when :skip, 'skip'
+              b.return(ret[:new_return_value]).break! if ret.key?(:new_return_value)
+            when :modify_args, 'modify_args'
+              b.args(ret[:args])
+            when :raise, 'raise'
+              if ret.key?(:exception)
+                b.raise(ret[:exception])
+              else
+                b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required."))
+              end
+            end if block
+          if ret && ret[:passed_conditions]
+            throw_val ||= b.noop
+            throw_val.passed_conditions!
+          end
+          next unless throw_val
+          throw_val.break! if ret[:skip_rem_cbs]
+          throw(b, throw_val)
         end
       end
@@ -309,7 +423,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i}" }
           begin
             ret = callback.post(v, i, a, r)
           rescue StandardError => e
@@ -320,15 +433,22 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i} => return=#{ret.inspect}" }
-          case ret[:status]
-          when :override, 'override'
-            throw(b, b.return(ret[:new_return_value])) if ret.key?(:new_return_value)
-          when :raise, 'raise'
-            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
-            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          end unless ret.nil? || !ret.is_a?(Hash)
+          throw_val =
+            case ret[:status]
+            when :override, 'override'
+              b.return(ret[:new_return_value]) if ret.key?(:new_return_value)
+            when :raise, 'raise'
+              b.raise(ret[:exception]) if ret.key?(:exception)
+              b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required."))
+            end unless ret.nil? || !ret.is_a?(Hash) || !block
+          if ret && ret[:passed_conditions]
+            throw_val ||= b.noop
+            throw_val.passed_conditions!
+          end
+          next unless throw_val
+          throw(b, throw_val)
         end
       end
@@ -341,7 +461,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i}" }
           begin
             ret = callback.failing(e, i, a, r)
           rescue StandardError => e
@@ -352,23 +471,30 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i} => return=#{ret.inspect}" }
           throw(b, b.raise(e)) if ret.nil? || !ret.is_a?(Hash)
-          case ret[:status]
-          when :override, 'override'
-            throw(b, b.return(ret[:new_return_value])) if ret.key?(:new_return_value)
-          when :retry, 'retry'
-            throw(b, b.retry)
-          when :raise, 'raise'
-            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
-            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          when :reraise, 'reraise'
-            throw(b, b.raise(e))
-          else
-            throw(b, b.raise(e))
-          end unless ret.nil? || !ret.is_a?(Hash)
+          throw_val =
+            case ret[:status]
+            when :override, 'override'
+              b.return(ret[:new_return_value]) if ret.key?(:new_return_value)
+            when :retry, 'retry'
+              b.retry
+            when :raise, 'raise'
+              b.raise(ret[:exception]) if ret.key?(:exception)
+              b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required."))
+            when :reraise, 'reraise'
+              b.raise(e)
+            else
+              b.raise(e)
+            end unless ret.nil? || !ret.is_a?(Hash) || !block
+          if ret && ret[:passed_conditions]
+            throw_val ||= b.noop
+            throw_val.passed_conditions!
+          end
+          next unless throw_val
+          throw(b, throw_val)
         end
       end
     end.install
@@ -403,4 +529,20 @@ class Sqreen::Weave::Legacy::Instrumentation
       Sqreen::Rules::RunUserActions.new(Sqreen, :auth_track, 1),
     ]
   end
+  def self.tag_to_metric_name(tag)
+    cached = @cache_tag_to_metric[tag]
+    return cached unless cached.nil?
+    tag =~ /weave,rule=(.*)$/ && rule = $1 and # rubocop:disable Style/AndOr
+      (tag =~ /@before/ && whence = 'pre' or # rubocop:disable Style/AndOr
+        tag =~ /@after/  && whence = 'post' or # rubocop:disable Style/AndOr
+        tag =~ /@raised/ && whence = 'failing' or # rubocop:disable Style/AndOr
+        tag =~ /@ensured/ && whence = 'finally')
+    @cache_tag_to_metric[tag] =
+      rule && whence ? "sq.#{rule}.#{whence}" : false
+  end
+  @cache_tag_to_metric = {}
 end