Fixes

- (#158) PII: make the PII scrubbing of In-App WAF attack events
  case-insensitive in order to correctly scrub transformed request parameters.

- (#159) Monitoring: fix the content type and length monitoring of HTTP
  responses.

- (#157) Gin middleware: use the request Go context instead of Gin's so that the
  agent can properly manage the request execution context, but also to correctly
  propagate values stored in the Go context before the middleware function.

Add a new type of metrics for binning metrics and explicitely rename the
previous sum metrics store types to make the API clearer.

Add a thread-safe shared stopwatch implementation accouting time duration
between the first goroutine starting it and the last stopping. It will be used
to compute sqreen's execution time per request for the simplest preformance
monitoring level 1. It indeed allows to read time less frequenttl than multiple
detailed timers.

…lback api

Introduce a complete callback framework providing a fully managed and abstraced
callback-implementation API. Two new interfaces were introduced for that:

1. The RuleContext is the interface with the security rule the callback is
   serving. It hides implementation details such as the rule name, the blocking
   mode, etc. This context is provided at callback instantiation.

2. The CallbackContext is the result of a RuleContext within a given
   ProtectionContext. It is obtained by calling the RuleContext's Pre() and
   Post() methods, both expecting a function closure having the CallbackContext
   as argument. And this is how the callback gets wrapped with rule- and
   protection-specific features. The closure also allows to do the bridge with
   the hooked function for example to set its return values when blocking.

This patch ports every callback to this new architecture.

Some improvements - still not perfect - simplifying the protection API and
expectations regarding the agent.

…ction context changes

…adline exceeded

Monitor the execution time of requests protected by Sqreen. Optionally, it is
now possible to set the maximum amount of time Sqreen is allowed to run per
request: Sqreen's monitoring and protections will only run for the given amount
of time. This option is disabled by default and should be used with caution as
it can lead to partially protected requests.

The resulting performance monitoring diagrams and setting are available at
<https://my.sqreen.com/application/goto/settings/performance>.

Note that the execution time monitoring diagram cannot be used as a strict
Application Performance Monitoring diagram as it is based on a lossy exponential
time-interval representation.

Log a `not_found` attack when the response is the NotFound status code 404. This
attack is used by an internal backend playbook to detect vulnerability security
scanners. The `HandleAttack()` API has been adapted so that callbacks can have
more options and finer-grained control on the attack event creation.

In order to avoid the cost of having multiple callbacks on the HTTP status code
monitoring hookpoint (which would require the use of Go reflection), the
not_found attack is added to the existing monitoring callback.

When dogfooding the not_found attack, we suddenly started having a
high-frequency event. We therefore scaled the event queue to 10000 events by
default, and the number of goroutines sending them to Sqreen can now scale up to
the number of available CPUs. This allows to increase the overall throughput and
handle more events rather than dropping them.

Log a `not_found` attack when the response is the NotFound status code 404. This
attack is used by an internal backend playbook to detect vulnerability security
scanners. The `HandleAttack()` API has been adapted so that callbacks can have
more options and finer-grained control on the attack event creation.

In order to avoid the cost of having multiple callbacks on the HTTP status code
monitoring hookpoint (which would require the use of Go reflection), the
not_found attack is added to the existing monitoring callback.

When dogfooding the not_found attack, we suddenly started having a
high-frequency event. We therefore scaled the event queue to 10000 events by
default, and the number of goroutines sending them to Sqreen can now scale up to
the number of available CPUs. This allows to increase the overall throughput and
handle more events rather than dropping them.

Monitor the return error of Echo request handlers to see if they are Echo's
HTTPErrors, so that we can properly capture the HTTP status code that will be
later used by Echo. The HTTP response is indded out of the middleware scope in
that case.

Monitor the return error of Echo request handlers to see if they are Echo's
HTTPErrors, so that we can properly capture the HTTP status code that will be
later used by Echo. The HTTP response is otherwise out of the middleware scope in
that case.

Add backoff error logging for better error management in the request hotpaths. A
backoff error logger is created using `plog.WithBackoff()`. It manages error
counters and logs the error every time the counter value is a power of two.
Error can be either individually counted when wrapped by `sqerrors.WithKey()`,
or simply share the common counter of the backoff error logger object.

Simple backoff error logger integration in the agent and its callbacks. The
error indexing should be further defined over time as it is currently
oversampling due to shared keys (eg. avoiding using the same key for two
distinct binding accessor expresssions).

Critical execution errors happening in the request hot path are now logged
according to exponential backoff counters of their occurrences. This avoids
slowing down request handlers but also spamming the internal agent queue.
Such error will now go through the agent error logging facility every time the
backoff counter is a power of two (1, 2, 4, 8, etc.). This is disabled when in
debug log level.

Correctly handle the default response case.

Fix the response's content-length monitoring with the default response (ie. the handler does nothing).

… the tests

Use the track event name the backend expects. Restoring the tests highlighted
some inconsistent blocking behavior between user/ip blocking/redirecting that
are now fixed.

…y response actions

Enable the correct event display on the dashboard by fixing the track event name with
the one the backend actually expects.
Also, restoring the security response tests highlighted some inconsistent blocking behavior
between user/ip blocking/redirecting that are now fixed.

Moving to an interface-only public API has the benefit of hiding the
type-implementation details that may change over time in the future. The
returned SDK values are now interface values and no longer pointer values. This
may break integrations having explicit types. We recommend to instead use
type-inference when possible.

From now, this change will allow us to transparently change the underlying
values returned by SDK calls. For example, as of today, the underlying SDK
values are small event collection wrappers that shouldn't be returned by
reference in order to avoid useless allocations, for the benefit of the overall
application performance. If the underlying object size increase in the future,
we will be able to return allocated structures instead without breaking existing
SDK integrations.

Moving to an interface-only public API has the benefit of hiding the
type-implementation details that may change over time in the future. The
returned SDK values are now interface values and no longer pointer values. This
may break integrations having explicit types. We recommend to instead use
type-inference when possible.

From now, this change will allow us to transparently change the underlying
values returned by SDK calls. For example, as of today, the underlying SDK
values are small event collection wrappers that shouldn't be returned by
reference in order to avoid useless allocations, for the benefit of the overall
application performance. If the underlying object size increase in the future,
we will be able to return allocated structures instead without breaking existing
SDK integrations.

…re reading its package path

Following up on elastic/apm-agent-go#848 and the
addition of the `Unwrap()` method to Elastic's SQL driver tracer, it is now
possible to unwrap it and properly read the package path of the underlying
driver as expected.

…method errors

Add finer-grained error keys that can be returned by the SQL dialect getter
method. This also highlighted the fact errors can be assigned multiple keys
while bubbling up the call stack. Therefore, the quick solution to get an error
key is to make `sqerrors.Key()` return the deepest key rather than the top one.
Ideally, it should rather combine multiple keys together in the future.

…re reading its package path

Following up on elastic/apm-agent-go#848 and the addition of the `Unwrap()`
method to Elastic's SQL driver tracer, it is now possible to unwrap it and properly
read the package path of the underlying driver as expected.

Make the HTTP response writer wrapper transparent by implementing the same
*known* interfaces as the underlying HTTP response writer it implements. The
list of interfaces is currently every optional `net/http` interfaces, and some
from `io` when relevant:

	- `http.Flusher`: to allow flushing any buffered to the client. This enables
	  support for streaming handlers.

	- `http.Hijacker`: to allow handlers to takeover the HTTP connection. This
	  should enable the support for websocket servers, which are not officially
	  supported by Sqreen, but is now experimentally allowed.

	- `http.Pusher`: for HTTP2 server push.

	- `http.CloseNotifier`: the deprecated closed connection notifier.

	- `io.ReaderFrom`: for optimized copies (eg. `io.Copy(file, w)`)

	- `io.WriteString`: for optimized string write (which avoids a temporary string copy into a byte slice)

The transparent wrapper implementation has been generated from a tool that will
be released in the Go agent repository in the future.

Fixes #162 and #134

Remove the useless response writer wrapper as Echo and Gin already monitor them.
Note that Gin actually doesn't allow changing the writter and all its helpers
use the internal in-memory writer. Therefore, we are for now accepting multiple
responses to keep the original response writer behaviour.

… js conversion

Make the HTTP response writer wrapper transparent by implementing the same
*known* interfaces as the underlying HTTP response writer. The
list of interfaces is currently every optional `net/http` interfaces, and some
from `io` when relevant:

  - `http.Flusher`: to allow flushing any buffered to the client. This enables
    support for streaming handlers.
  - `http.Hijacker`: to allow handlers to takeover the HTTP connection. This
	  should enable the support for websocket servers, which are not officially
	  supported by Sqreen, but is now experimentally allowed.
  - `http.Pusher`: for HTTP2 server push.
  - `http.CloseNotifier`: the deprecated closed connection notifier.
  - `io.ReaderFrom`: for optimized copies (eg. `io.Copy(file, w)`)
  - `io.WriteString`: for optimized string write (which avoids a temporary string copy into a byte slice)

The transparent wrapper implementation has been generated with a tool that will
be released in the Go agent repository in the future.

Fixes #162 and #134

- Restore max length checks
- Update max length error checks

Add `sdk.FromRequest()` helper function to retrieve Sqreen's SDK handle from a request.
It is a shortcut to `sdk.FromContext(r.Context())`.