MKT_KSA_Geolocation_Security 1.0.2

// removed: global allow for unused_async; functions already adjusted
/******************************************************************************************
  📍 منصة تحليل الأمان الجغرافي MKT KSA – تطوير منصور بن خالد
* 📄 رخصة Apache 2.0 – يسمح بالاستخدام والتعديل بشرط النسبة وعدم تقديم ضمانات.
* MKT KSA Geolocation Security – Developed by Mansour Bin Khalid (KSA 🇸🇦)
* Licensed under Apache 2.0 – https://www.apache.org/licenses/LICENSE-2.0
* © 2025 All rights reserved.
اسم الملف: device_fp.rs
    المسار:    src/core/device_fp.rs

    دور الملف:
    محرك بصمة الأجهزة المتطور، مصمم ببنية Traits-based مرنة وقابلة للتوسيع،
    يستخدم مبادئ أمان متقدمة لإدارة الأسرار (Zero-Knowledge) وخوارزميات عالية الأداء (BLAKE3)،
    مع دعم كامل للحوسبة غير المتزامنة (Async) لضمان أداء عالٍ في البيئات المتزامنة.
    المهام الأساسية:
    1. استخدام Traits لحقن التبعيات (AI, Security, Quantum) لمرونة قصوى.
    2. إدارة آمنة للمفاتيح باستخدام `secrecy` لمنع تسربها في الذاكرة.
    3. استخدام `tokio::sync::RwLock` لتحسين أداء القراءة المتزامنة.
    4. ضمان تهيئة المحرك لمرة واحدة فقط باستخدام `once_cell` (Singleton).
    5. توفير تطبيقات افتراضية لكل trait للاستخدام المباشر.
    6. بنية قابلة للاختبار بشكل كامل ومعزول (Unit Testing).
    --------------------------------------------------------------
    File Name: device_fp.rs
    Path:     src/core/device_fp.rs

    File Role:
    Advanced device fingerprinting engine, designed with a flexible and extensible
    Traits-based architecture. It employs advanced security principles for secret
    management (Zero-Knowledge), high-performance algorithms (BLAKE3), and full
    support for asynchronous computing to ensure high performance in concurrent environments.

    Main Tasks:
    1. Utilize Traits for dependency injection (AI, Security, Quantum) for maximum flexibility.
    2. Secure key management using `secrecy` to prevent memory leaks.
    3. Use `tokio::sync::RwLock` to improve concurrent read performance.
    4. Ensure engine is initialized only once using `once_cell` (Singleton).
    5. Provide default implementations for each trait for out-of-the-box use.
    6. A fully and granularly testable architecture (Unit Testing).
******************************************************************************************/

#![allow(
    clippy::too_many_lines,
    clippy::cast_possible_truncation,
    clippy::cast_sign_loss
)]

use std::collections::HashMap;
use std::ffi::{CStr, CString};
use std::sync::Arc;
use std::time::Instant;

use crate::security::secret::SecureBytes;
use async_trait::async_trait;
use blake3::Hasher;
use rand::rngs::OsRng;
use rand::RngCore;
use serde::{Deserialize, Serialize};
use thiserror::Error;
use tokio::sync::RwLock;

// ================================================================
// الأخطاء الرئيسية للنظام (معاد هيكلتها)
// Main System Errors (Refactored)
// ================================================================
#[derive(Debug, Error)]
pub enum FingerprintError {
    #[error("UTF-8 conversion error: {0}")]
    Utf8(#[from] std::str::Utf8Error),

    #[error("NUL character in string: {0}")]
    Nul(#[from] std::ffi::NulError),

    #[error("JSON serialization error: {0}")]
    Json(#[from] serde_json::Error),

    #[error("Failed to acquire lock on a resource")]
    LockFailed,

    #[error("Unsupported environment: {0}")]
    UnsupportedEnvironment(String),

    #[error("Quantum initialization failed: {0}")]
    QuantumInitFailed(String),

    #[error("Resource usage exceeded: {0}")]
    ResourceExceeded(String),

    #[error("Security threat detected: {0}")]
    SecurityThreat(String),
}

// ================================================================
// الهياكل الرئيسية (دون تغيير جوهري)
// Main Structures (No fundamental change)
// ================================================================
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct AdaptiveFingerprint {
    pub base_fp: String,
    pub adaptive_fp: String,
    pub ai_signature: String,
    pub security_level: u8,
    pub performance_level: u8,
    pub environment_profile: EnvironmentProfile,
    pub quantum_resistant: bool,
    pub generation_time_us: u64,
}

#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct EnvironmentProfile {
    pub os_type: String,
    pub device_category: String,
    pub threat_level: u8,
    pub resource_constraints: ResourceConstraints,
}

#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct ResourceConstraints {
    pub max_memory_kb: u64,
    pub max_processing_us: u64,
}

// ================================================================
// الواجهات (Traits) للمكونات القابلة للحقن
// Traits for Injectable Components
// ================================================================

#[async_trait]
pub trait SecurityMonitor: Send + Sync {
    async fn scan_environment(&self, os: &str, device_info: &str) -> Result<(), FingerprintError>;
    async fn update_threat_database(&self, threat_data: &str) -> Result<(), FingerprintError>;
    async fn current_security_level(&self) -> u8;
}

#[async_trait]
pub trait QuantumEngine: Send + Sync {
    fn get_secure_key(&self) -> &SecureBytes;
    fn is_quantum_resistant(&self) -> bool;
}

#[async_trait]
pub trait AiProcessor: Send + Sync {
    async fn generate_ai_signature(
        &self,
        base_fp: &str,
        adaptive_fp: &str,
        env_profile: &EnvironmentProfile,
    ) -> Result<String, FingerprintError>;
}

// ================================================================
// المحرك الأساسي (معاد هيكلته بالكامل)
// Main Engine (Fully Refactored)
// ================================================================
pub struct AdaptiveFingerprintEngine {
    security: Arc<dyn SecurityMonitor>,
    quantum: Arc<dyn QuantumEngine>,
    ai: Arc<dyn AiProcessor>,
    env_profiles: Arc<RwLock<HashMap<String, EnvironmentProfile>>>,
}

impl AdaptiveFingerprintEngine {
    /// إنشاء محرك جديد مع حقن التبعيات
    /// Creates a new engine with dependency injection
    pub fn new(
        security: Arc<dyn SecurityMonitor>,
        quantum: Arc<dyn QuantumEngine>,
        ai: Arc<dyn AiProcessor>,
        env_profiles: Arc<RwLock<HashMap<String, EnvironmentProfile>>>,
    ) -> Self {
        Self {
            security,
            quantum,
            ai,
            env_profiles,
        }
    }

    /// توليد بصمة متطورة
    /// Generate an advanced fingerprint
    ///
    /// # Errors
    /// يعيد `FingerprintError` عند فشل الفحص الأمني، توليد البصمات، أو التوقيع بالذكاء الاصطناعي.
    /// Returns `FingerprintError` if security scan, fingerprint generation, or AI signature fails.
    pub async fn generate_fingerprint(
        &self,
        os: &str,
        device_info: &str,
        environment_data: &str,
    ) -> Result<AdaptiveFingerprint, FingerprintError> {
        let start_time = Instant::now();

        // 1. الفحص الأمني الأولي
        // 1. Initial security scan
        self.security.scan_environment(os, device_info).await?;

        // 2. تحليل البيئة وتحديد ملف التعريف
        // 2. Analyze environment and determine profile
        let env_type = Self::detect_environment_type(environment_data);
        let env_profile = self
            .env_profiles
            .read()
            .await
            .get(&env_type)
            .cloned()
            .ok_or_else(|| FingerprintError::UnsupportedEnvironment(env_type.clone()))?;

        // 3. إنشاء البصمة الأساسية
        // 3. Create the base fingerprint
        let base_fp = self.create_base_fingerprint(os, device_info, &env_profile);

        // 4. إنشاء البصمة التكيفية
        // 4. Create the adaptive fingerprint
        let adaptive_fp = Self::create_adaptive_fingerprint(&base_fp, &env_profile);

        // 5. إنشاء توقيع الذكاء الاصطناعي
        // 5. Create the AI signature
        let ai_signature = self
            .ai
            .generate_ai_signature(&base_fp, &adaptive_fp, &env_profile)
            .await?;

        Ok(AdaptiveFingerprint {
            base_fp,
            adaptive_fp,
            ai_signature,
            security_level: self.security.current_security_level().await,
            performance_level: 8, // Placeholder, can be dynamic
            environment_profile: env_profile,
            quantum_resistant: self.quantum.is_quantum_resistant(),
            generation_time_us: start_time.elapsed().as_micros() as u64,
        })
    }

    // --- وظائف مساعدة داخلية ---
    // --- Internal helper functions ---

    fn create_base_fingerprint(
        &self,
        os: &str,
        device_info: &str,
        _profile: &EnvironmentProfile,
    ) -> String {
        let mut hasher = Hasher::new();
        hasher.update(os.as_bytes());
        hasher.update(device_info.as_bytes());

        // استخدام مفتاح سري لتكون البصمة فريدة لكل نظام
        // Use a secret key to make the fingerprint unique per system
        let key = self.quantum.get_secure_key();
        hasher.update(key.expose());

        hasher.finalize().to_hex().to_string()
    }

    fn create_adaptive_fingerprint(base_fp: &str, profile: &EnvironmentProfile) -> String {
        let mut hasher = Hasher::new();
        hasher.update(base_fp.as_bytes());
        // إضافة عوامل تكيفية من ملف تعريف البيئة
        // Add adaptive factors from the environment profile
        hasher.update(&profile.threat_level.to_ne_bytes());
        hasher.update(profile.device_category.as_bytes());

        hasher.finalize().to_hex().to_string()
    }

    fn detect_environment_type(data: &str) -> String {
        if data.contains("mobile") || data.contains("android") || data.contains("ios") {
            "mobile".to_string()
        } else if data.contains("iot") || data.contains("embedded") {
            "iot".to_string()
        } else if data.contains("server") || data.contains("datacenter") {
            "server".to_string()
        } else {
            "desktop".to_string()
        }
    }
}

// ================================================================
// التطبيقات الافتراضية للمكونات
// Default Component Implementations
// ================================================================

// --- SecurityMonitor ---
pub struct DefaultSecurityMonitor {
    threat_database: RwLock<HashMap<String, u8>>,
    security_level: RwLock<u8>,
}

impl Default for DefaultSecurityMonitor {
    fn default() -> Self {
        Self::new()
    }
}

impl DefaultSecurityMonitor {
    #[must_use]
    pub fn new() -> Self {
        let mut db = HashMap::new();
        db.insert("rootkit".to_string(), 9);
        db.insert("memory_scrape".to_string(), 7);
        Self {
            threat_database: RwLock::new(db),
            security_level: RwLock::new(8),
        }
    }
}

#[async_trait]
impl SecurityMonitor for DefaultSecurityMonitor {
    async fn scan_environment(&self, os: &str, device_info: &str) -> Result<(), FingerprintError> {
        for (threat, _) in self.threat_database.read().await.iter() {
            if os.contains(threat) || device_info.contains(threat) {
                return Err(FingerprintError::SecurityThreat(format!(
                    "{threat} detected"
                )));
            }
        }
        Ok(())
    }

    async fn update_threat_database(&self, _threat_data: &str) -> Result<(), FingerprintError> {
        // ... (logic to parse and update db)
        Ok(())
    }

    async fn current_security_level(&self) -> u8 {
        *self.security_level.read().await
    }
}

// --- QuantumEngine ---
pub struct DefaultQuantumEngine {
    secure_key: SecureBytes,
}

impl DefaultQuantumEngine {
    ///
    /// # Errors
    /// Returns `FingerprintError::QuantumInitFailed` if secure key generation fails.
    pub fn new() -> Result<Self, FingerprintError> {
        let mut key_bytes = [0u8; 64];
        OsRng
            .try_fill_bytes(&mut key_bytes)
            .map_err(|e| FingerprintError::QuantumInitFailed(e.to_string()))?;
        Ok(Self {
            secure_key: SecureBytes::new(key_bytes.to_vec()),
        })
    }
}

#[async_trait]
impl QuantumEngine for DefaultQuantumEngine {
    fn get_secure_key(&self) -> &SecureBytes {
        &self.secure_key
    }
    fn is_quantum_resistant(&self) -> bool {
        true
    }
}

// --- AiProcessor ---
pub struct DefaultAiProcessor;

#[async_trait]
impl AiProcessor for DefaultAiProcessor {
    async fn generate_ai_signature(
        &self,
        base_fp: &str,
        adaptive_fp: &str,
        env_profile: &EnvironmentProfile,
    ) -> Result<String, FingerprintError> {
        let mut hasher = Hasher::new();
        hasher.update(base_fp.as_bytes());
        hasher.update(adaptive_fp.as_bytes());
        // إضافة عامل من "الذكاء" بناء على البيئة
        // Add a factor of "intelligence" based on the environment
        if env_profile.threat_level > 7 {
            hasher.update(b"high_security_protocol");
        }
        Ok(hasher.finalize().to_hex().to_string())
    }
}

// ================================================================
// واجهة النظام الخارجية (FFI) - باستخدام Singleton
// External System Interface (FFI) - Using Singleton
// ================================================================

// الهيكل لتجميع كل التبعيات الافتراضية
// Struct to hold all default dependencies
struct FullEngine {
    engine: AdaptiveFingerprintEngine,
}

impl FullEngine {
    fn new() -> Result<Self, FingerprintError> {
        // --- تهيئة البيئات ---
        // --- Initialize Environments ---
        let mut profiles = HashMap::new();
        profiles.insert(
            "mobile".to_string(),
            EnvironmentProfile {
                os_type: "Mobile".to_string(),
                device_category: "Phone/Tablet".to_string(),
                threat_level: 6,
                resource_constraints: ResourceConstraints {
                    max_memory_kb: 512,
                    max_processing_us: 5000,
                },
            },
        );
        profiles.insert(
            "desktop".to_string(),
            EnvironmentProfile {
                os_type: "Desktop".to_string(),
                device_category: "PC/Workstation".to_string(),
                threat_level: 4,
                resource_constraints: ResourceConstraints {
                    max_memory_kb: 2048,
                    max_processing_us: 10000,
                },
            },
        );

        let engine = AdaptiveFingerprintEngine::new(
            Arc::new(DefaultSecurityMonitor::new()),
            Arc::new(DefaultQuantumEngine::new()?),
            Arc::new(DefaultAiProcessor),
            Arc::new(RwLock::new(profiles)),
        );
        Ok(Self { engine })
    }
}

// استخدام once_cell لضمان التهيئة لمرة واحدة فقط
// Use once_cell to ensure one-time initialization
static ENGINE: std::sync::LazyLock<Result<FullEngine, FingerprintError>> =
    std::sync::LazyLock::new(FullEngine::new);

/// توليد بصمة (واجهة C) - الآن تستخدم النسخة الوحيدة
/// Generate fingerprint (C interface) - now uses the singleton instance
///
/// # Safety
/// - يجب أن تكون المؤشرات `os`, `device_info`, `env_data` صالحة وغير فارغة وتشير إلى سلاسل C منتهية بـ NUL.
/// - يجب أن تبقى الذاكرة المشار إليها صالحة طوال مدة النداء.
/// - السلسلة المعادة يجب تحريرها عبر `free_fingerprint_string` فقط لتفادي تسرب الذاكرة.
/// - This function expects valid NUL-terminated C strings and returns an owned C string that
///   must be freed with `free_fingerprint_string`.
#[no_mangle]
pub unsafe extern "C" fn generate_adaptive_fingerprint(
    os: *const std::ffi::c_char,
    device_info: *const std::ffi::c_char,
    env_data: *const std::ffi::c_char,
) -> *mut std::ffi::c_char {
    let result = || -> Result<CString, Box<dyn std::error::Error>> {
        let os_str = unsafe { CStr::from_ptr(os).to_str()? };
        let device_str = unsafe { CStr::from_ptr(device_info).to_str()? };
        let env_str = unsafe { CStr::from_ptr(env_data).to_str()? };

        // الوصول إلى المحرك المهيأ
        // Access the initialized engine
        let full_engine = match &*ENGINE {
            Ok(engine) => engine,
            Err(e) => return Err(e.to_string().into()),
        };

        // تنفيذ غير متزامن
        // Async execution
        let fp = tokio::runtime::Builder::new_current_thread()
            .enable_all()
            .build()?
            .block_on(
                full_engine
                    .engine
                    .generate_fingerprint(os_str, device_str, env_str),
            )?;

        let json = serde_json::to_string(&fp)?;
        Ok(CString::new(json)?)
    };

    result().map_or(std::ptr::null_mut(), std::ffi::CString::into_raw)
}

/// تحرير الذاكرة
/// Free memory
///
/// # Safety
/// - يجب تمرير مؤشر تم استلامه سابقاً من `generate_adaptive_fingerprint` فقط.
/// - لا تستدعِ هذه الدالة بمؤشر تم تحريره مسبقاً أو مؤشر غير صالح.
/// - The pointer must originate from `generate_adaptive_fingerprint` and be freed exactly once.
#[no_mangle]
pub unsafe extern "C" fn free_fingerprint_string(ptr: *mut std::ffi::c_char) {
    if !ptr.is_null() {
        unsafe {
            let _ = CString::from_raw(ptr);
        }
    }
}

// ================================================================
// اختبارات شاملة (محدثة بالكامل)
// Comprehensive Tests (Fully Updated)
// ================================================================
#[cfg(test)]
mod tests {
    use super::*;
    use std::sync::atomic::{AtomicU8, Ordering};

    // --- Mock Components for Testing ---

    struct MockSecurityMonitor {
        level: AtomicU8,
        should_fail: bool,
    }
    #[async_trait]
    impl SecurityMonitor for MockSecurityMonitor {
        async fn scan_environment(
            &self,
            _os: &str,
            _device_info: &str,
        ) -> Result<(), FingerprintError> {
            if self.should_fail {
                Err(FingerprintError::SecurityThreat("mock threat".to_string()))
            } else {
                Ok(())
            }
        }
        async fn update_threat_database(&self, _threat_data: &str) -> Result<(), FingerprintError> {
            Ok(())
        }
        async fn current_security_level(&self) -> u8 {
            self.level.load(Ordering::Relaxed)
        }
    }

    struct MockQuantumEngine;
    #[async_trait]
    impl QuantumEngine for MockQuantumEngine {
        fn get_secure_key(&self) -> &crate::security::secret::SecureBytes {
            // استخدام lazy_static لضمان أن المفتاح الوهمي ثابت
            // Use lazy_static to ensure the mock key is constant
            static MOCK_KEY: std::sync::LazyLock<crate::security::secret::SecureBytes> =
                std::sync::LazyLock::new(|| crate::security::secret::SecureBytes::new(vec![1; 32]));
            &MOCK_KEY
        }
        fn is_quantum_resistant(&self) -> bool {
            true
        }
    }

    struct MockAiProcessor;
    #[async_trait]
    impl AiProcessor for MockAiProcessor {
        async fn generate_ai_signature(
            &self,
            _b: &str,
            _a: &str,
            _e: &EnvironmentProfile,
        ) -> Result<String, FingerprintError> {
            Ok("mock_ai_signature".to_string())
        }
    }

    // --- Helper to build engine for tests ---
    fn setup_test_engine(sec_monitor: Arc<dyn SecurityMonitor>) -> AdaptiveFingerprintEngine {
        let mut profiles = HashMap::new();
        profiles.insert(
            "desktop".to_string(),
            EnvironmentProfile {
                os_type: "Desktop".to_string(),
                device_category: "PC".to_string(),
                threat_level: 4,
                resource_constraints: ResourceConstraints {
                    max_memory_kb: 2048,
                    max_processing_us: 10000,
                },
            },
        );

        AdaptiveFingerprintEngine::new(
            sec_monitor,
            Arc::new(MockQuantumEngine),
            Arc::new(MockAiProcessor),
            Arc::new(RwLock::new(profiles)),
        )
    }

    #[tokio::test]
    async fn test_successful_fingerprint_generation() {
        let sec_monitor = Arc::new(MockSecurityMonitor {
            level: AtomicU8::new(9),
            should_fail: false,
        });
        let engine = setup_test_engine(sec_monitor);

        let fp = engine
            .generate_fingerprint("Windows 11", "Dell XPS", "desktop")
            .await
            .unwrap();

        assert!(!fp.base_fp.is_empty());
        assert!(!fp.adaptive_fp.is_empty());
        assert_eq!(fp.ai_signature, "mock_ai_signature");
        assert_eq!(fp.security_level, 9);
        assert!(fp.quantum_resistant);
    }

    #[tokio::test]
    async fn test_security_threat_scenario() {
        let sec_monitor = Arc::new(MockSecurityMonitor {
            level: AtomicU8::new(5),
            should_fail: true,
        });
        let engine = setup_test_engine(sec_monitor);

        let result = engine
            .generate_fingerprint("Infected OS", "Device", "desktop")
            .await;

        assert!(matches!(result, Err(FingerprintError::SecurityThreat(_))));
    }
}