peat-protocol 0.9.0-rc.7

Peat Coordination Protocol — hierarchical capability composition over CRDTs for heterogeneous mesh networks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348

//! Secure Node Example
//!
//! Demonstrates the Peat security framework for device authentication
//! and RBAC authorization.
//!
//! # What This Shows
//!
//! 1. **Device Authentication**: Ed25519 keypair generation and challenge-response
//! 2. **RBAC Authorization**: Role-based permission checking for cell operations
//!
//! # Running the Example
//!
//! ```bash
//! cargo run --example secure_node -p peat-protocol
//! ```
//!
//! # Integration with peat-sim
//!
//! To add security to your simulation nodes:
//!
//! 1. Generate device identity at startup using `DeviceKeypair::generate()`
//! 2. Use `DeviceAuthenticator` for challenge-response with peers
//! 3. Check permissions with `AuthorizationController` before operations

use peat_protocol::security::{
    AuthenticatedEntity, AuthorizationContext, AuthorizationController, CellMembershipContext,
    DeviceAuthenticator, DeviceKeypair, Permission,
};
use std::collections::HashSet;

fn main() {
    println!("=== Peat Security Framework Demo ===\n");

    demo_device_authentication();
    demo_rbac_authorization();
    demo_integrated_flow();

    println!("\n=== Security Demo Complete ===");
}

/// Demonstrates device identity and mutual authentication
fn demo_device_authentication() {
    println!("--- 1. Device Authentication ---\n");

    // Generate keypairs for two devices
    let keypair_a = DeviceKeypair::generate();
    let keypair_b = DeviceKeypair::generate();

    println!("Device A ID: {}", keypair_a.device_id().to_hex());
    println!("Device B ID: {}", keypair_b.device_id().to_hex());

    // Create authenticators
    let auth_a = DeviceAuthenticator::new(keypair_a);
    let auth_b = DeviceAuthenticator::new(keypair_b);

    // === Round 1: A authenticates B ===
    println!("\n--- A authenticates B ---");

    // A generates challenge for B
    let challenge_for_b = auth_a.generate_challenge();
    println!(
        "A sends challenge (nonce: {} bytes)",
        challenge_for_b.nonce.len()
    );

    // B responds to A's challenge
    let response_from_b = auth_b
        .respond_to_challenge(&challenge_for_b)
        .expect("B should respond to challenge");
    println!(
        "B sends signed response ({} bytes)",
        response_from_b.signature.len()
    );

    // A verifies B's response
    let verified_b_id = auth_a
        .verify_response(&response_from_b)
        .expect("A should verify B's response");
    println!("A verified B: {}", verified_b_id.to_hex());

    // === Round 2: B authenticates A ===
    println!("\n--- B authenticates A ---");

    // B generates challenge for A
    let challenge_for_a = auth_b.generate_challenge();
    println!(
        "B sends challenge (nonce: {} bytes)",
        challenge_for_a.nonce.len()
    );

    // A responds to B's challenge
    let response_from_a = auth_a
        .respond_to_challenge(&challenge_for_a)
        .expect("A should respond to challenge");
    println!(
        "A sends signed response ({} bytes)",
        response_from_a.signature.len()
    );

    // B verifies A's response
    let verified_a_id = auth_b
        .verify_response(&response_from_a)
        .expect("B should verify A's response");
    println!("B verified A: {}", verified_a_id.to_hex());

    // Both devices now have verified each other
    println!("\nMutual authentication complete:");
    println!("  A verified {} peers", auth_a.verified_peer_count());
    println!("  B verified {} peers", auth_b.verified_peer_count());

    println!();
}

/// Demonstrates role-based access control
fn demo_rbac_authorization() {
    println!("--- 2. RBAC Authorization ---\n");

    // Create authorization controller with default policy
    let controller = AuthorizationController::with_default_policy();

    // Create device identities
    let leader_keypair = DeviceKeypair::generate();
    let member_keypair = DeviceKeypair::generate();
    let observer_keypair = DeviceKeypair::generate();

    let leader_id = leader_keypair.device_id();
    let member_id = member_keypair.device_id();
    let observer_id = observer_keypair.device_id();

    println!("Created 3 device identities:");
    println!("  Leader:   {}", leader_id.to_hex());
    println!("  Member:   {}", member_id.to_hex());
    println!("  Observer: {}", observer_id.to_hex());

    // Create authenticated entities
    let leader = AuthenticatedEntity::from_device_id(leader_id);
    let member = AuthenticatedEntity::from_device_id(member_id);
    let observer = AuthenticatedEntity::from_device_id(observer_id);

    // Create authorization context where leader is the cell leader
    let mut cell_members = HashSet::new();
    cell_members.insert(leader_id.to_hex());
    cell_members.insert(member_id.to_hex());

    let membership = CellMembershipContext::new(Some(leader_id.to_hex()), cell_members);
    let context = AuthorizationContext::for_cell("alpha-squad").with_membership(membership);

    println!("\nCell context:");
    println!("  Cell ID: alpha-squad");
    println!("  Leader: {}", leader_id.to_hex());

    // Test permissions for Leader (cell leader has elevated permissions)
    println!("\nLeader permissions:");
    check_permission(
        &controller,
        &leader,
        Permission::SetCellObjective,
        &context,
        "SetCellObjective",
    );
    check_permission(
        &controller,
        &leader,
        Permission::SetCellLeader,
        &context,
        "SetCellLeader",
    );
    check_permission(
        &controller,
        &leader,
        Permission::WriteCellState,
        &context,
        "WriteCellState",
    );
    check_permission(
        &controller,
        &leader,
        Permission::DisbandCell,
        &context,
        "DisbandCell",
    );

    // Test permissions for Member (has limited permissions)
    println!("\nMember permissions:");
    check_permission(
        &controller,
        &member,
        Permission::ReadCellState,
        &context,
        "ReadCellState",
    );
    check_permission(
        &controller,
        &member,
        Permission::WriteCellState,
        &context,
        "WriteCellState",
    );
    check_permission(
        &controller,
        &member,
        Permission::SetCellLeader,
        &context,
        "SetCellLeader",
    );

    // Test permissions for Observer (read-only)
    // Create context without observer in cell members
    let observer_context = AuthorizationContext::for_cell("alpha-squad").with_membership(
        CellMembershipContext::new(Some(leader_id.to_hex()), HashSet::new()),
    );

    println!("\nObserver permissions (not a cell member):");
    check_permission(
        &controller,
        &observer,
        Permission::ReadCellState,
        &observer_context,
        "ReadCellState",
    );
    check_permission(
        &controller,
        &observer,
        Permission::WriteCellState,
        &observer_context,
        "WriteCellState",
    );

    println!();
}

fn check_permission(
    controller: &AuthorizationController,
    entity: &AuthenticatedEntity,
    permission: Permission,
    context: &AuthorizationContext,
    name: &str,
) {
    let result = controller.check_permission(entity, permission, context);
    let status = if result.is_ok() {
        "ALLOWED ✓"
    } else {
        "DENIED ✗"
    };
    println!("  {}: {}", name, status);
}

/// Demonstrates an integrated security flow
fn demo_integrated_flow() {
    println!("--- 3. Integrated Security Flow ---\n");
    println!("Scenario: New device joining an existing cell\n");

    // Step 1: Generate device identity
    let new_device = DeviceKeypair::generate();
    let new_device_id = new_device.device_id();
    println!(
        "1. New device generated identity: {}",
        new_device_id.to_hex()
    );

    // Step 2: Existing cell leader
    let leader_device = DeviceKeypair::generate();
    let leader_id = leader_device.device_id();
    println!("2. Cell leader identity: {}", leader_id.to_hex());

    // Step 3: Mutual authentication
    let new_auth = DeviceAuthenticator::new(new_device);
    let leader_auth = DeviceAuthenticator::new(leader_device);

    // New device authenticates to leader
    let challenge = leader_auth.generate_challenge();
    let response = new_auth.respond_to_challenge(&challenge).unwrap();
    let verified_new = leader_auth.verify_response(&response);

    // Leader authenticates to new device
    let challenge = new_auth.generate_challenge();
    let response = leader_auth.respond_to_challenge(&challenge).unwrap();
    let verified_leader = new_auth.verify_response(&response);

    println!(
        "3. Mutual authentication: {}",
        if verified_new.is_ok() && verified_leader.is_ok() {
            "SUCCESS ✓"
        } else {
            "FAILED ✗"
        }
    );

    // Step 4: Check authorization to join
    let controller = AuthorizationController::with_default_policy();
    let entity = AuthenticatedEntity::from_device_id(new_device_id);

    // Context: cell exists but new device not yet a member
    let membership = CellMembershipContext::new(Some(leader_id.to_hex()), HashSet::new());
    let context = AuthorizationContext::for_cell("alpha-squad").with_membership(membership);

    let can_read = controller.check_permission(&entity, Permission::ReadCellState, &context);
    let can_write = controller.check_permission(&entity, Permission::WriteCellState, &context);

    println!("4. Authorization check (as non-member):");
    println!(
        "   ReadCellState: {}",
        if can_read.is_ok() {
            "ALLOWED"
        } else {
            "DENIED"
        }
    );
    println!(
        "   WriteCellState: {}",
        if can_write.is_ok() {
            "ALLOWED"
        } else {
            "DENIED"
        }
    );

    // Step 5: After joining (device added to cell members)
    let mut members = HashSet::new();
    members.insert(leader_id.to_hex());
    members.insert(new_device_id.to_hex());

    let membership = CellMembershipContext::new(Some(leader_id.to_hex()), members);
    let context = AuthorizationContext::for_cell("alpha-squad").with_membership(membership);

    let can_read = controller.check_permission(&entity, Permission::ReadCellState, &context);
    let can_write = controller.check_permission(&entity, Permission::WriteCellState, &context);

    println!("5. Authorization check (after joining as member):");
    println!(
        "   ReadCellState: {}",
        if can_read.is_ok() {
            "ALLOWED ✓"
        } else {
            "DENIED"
        }
    );
    println!(
        "   WriteCellState: {}",
        if can_write.is_ok() {
            "ALLOWED ✓"
        } else {
            "DENIED"
        }
    );

    println!("\n✓ New device securely joined the cell");
}