feat: Enhance AuthZEN demo with mock PDP server and new flags

- Added `mock_pdp` and `no_mock_pdp` flags for local testing with a mock PDP server.
- Implemented realistic authorization policies in the mock server for testing.
- Updated `Args` struct to include flags for mock PDP usage.
- Enhanced README with mock PDP details and usage instructions.
- Improved demo output to focus on authorization decisions without actual SLIM operations.

This update provides a more user-friendly experience for testing AuthZEN authorization scenarios.

Signed-off-by: Razco <razchn@gmail.com>

Author: RazcoDev

data-plane/Cargo.lock

@@ -23,3 +23,6 @@ clap = { workspace = true }
 parking_lot = { workspace = true }
 tokio = { workspace = true }
 tracing = { workspace = true }
+wiremock = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }

data-plane/examples/Cargo.toml

@@ -13,7 +13,7 @@ AuthZEN is an OpenID Foundation standard that defines a REST API for Policy Deci
 
 ## Example Features
 
-This example demonstrates:
+This example demonstrates AuthZEN authorization testing without full SLIM service operations:
 
 ### 🔐 Authorization Scenarios
 - **Route Authorization**: Agent-to-agent route establishment permissions
@@ -25,15 +25,18 @@ This example demonstrates:
 - AuthZEN client configuration and integration
 - SLIM entity to AuthZEN format conversion (Agent → Subject, AgentType → Resource)
 - Error handling and fallback policies
+- Mock PDP server for realistic testing
 - Performance testing with cached decisions
 
 ### 📊 Demo Scenarios
 1. **Agent Creation**: Create publisher, subscriber, and admin agents
-2. **Route Testing**: Authorized and unauthorized route creation attempts
-3. **Message Publishing**: Normal and oversized message authorization
-4. **Subscription Management**: Same-org and cross-org subscription attempts
+2. **Route Testing**: Authorized and unauthorized route creation authorization
+3. **Message Publishing**: Normal and oversized message authorization testing
+4. **Subscription Management**: Same-org and cross-org subscription authorization
 5. **Cache Testing**: Performance impact of authorization caching
 
+Note: This demo focuses on authorization decision testing. Actual SLIM operations (route creation, message publishing, subscriptions) are skipped to maintain clean output focused on AuthZEN functionality.
+
 ## Quick Start
 
 ### Prerequisites
@@ -55,13 +58,16 @@ cargo run --bin authzen-demo -- --help
 # Run with default settings (fail-open for demo)
 cargo run --bin authzen-demo
 
-# Test fail-closed security behavior
+# Run with mock PDP server (recommended - default)
+cargo run --bin authzen-demo -- --mock-pdp
+
+# Test fail-closed security behavior 
 cargo run --bin authzen-demo -- --fail-closed
 
-# Run with a real AuthZEN PDP
-cargo run --bin authzen-demo -- --pdp-endpoint http://your-pdp:8080
+# Test with real AuthZEN PDP (disable mock)
+cargo run --bin authzen-demo -- --no-mock-pdp --pdp-endpoint http://your-pdp:8080
 
-# Disable AuthZEN (JWT-only mode)
+# Disable AuthZEN entirely (JWT-only mode)
 cargo run --bin authzen-demo -- --authzen-enabled false
 ```
 
@@ -74,11 +80,30 @@ Options:
       --pdp-endpoint <ENDPOINT>        AuthZEN PDP endpoint URL [default: http://localhost:8080]
       --fallback-allow                 Allow operations when PDP is unavailable [default: true]
       --fail-closed                    Test fail-closed security (deny when PDP unavailable)
+      --mock-pdp                       Create a local mock PDP server [default: true]
       --demo-mode                      Run comprehensive demo scenarios [default: true]
   -v, --verbose                        Enable verbose authorization logging [default: false]
   -h, --help                           Print help information
 ```
 
+## Mock PDP Server
+
+The example includes a built-in mock AuthZEN PDP server for realistic testing without requiring an external policy engine. The mock PDP implements these policies:
+
+### 📋 Mock Policies
+- **Same-Organization Routes**: ✅ Allow route creation between agents in the same organization (`cisco`)
+- **Cross-Organization Routes**: ❌ Deny routes to external organizations (`external`, etc.)
+- **Message Publishing**: ✅ Allow normal message publishing within organization
+- **Subscriptions**: ✅ Allow subscriptions within the same organization
+- **Default Policy**: ✅ Allow other operations (for demo purposes)
+
+### 🎛️ Mock PDP Controls
+- `--mock-pdp` (default): Use local mock PDP with realistic policies
+- `--no-mock-pdp`: Connect to real PDP at `--pdp-endpoint`
+- `--fail-closed`: Test security-first behavior (deny when PDP unavailable)
+
+The mock PDP demonstrates how AuthZEN policies can enforce fine-grained access control beyond simple JWT claims, showing realistic organizational boundaries and operation restrictions.
+
 ## Expected Output
 
 When running the example, you'll see output like:

data-plane/examples/src/authzen-demo/README.md

@@ -67,6 +67,21 @@ pub struct Args {
     )]
     fail_closed: bool,
 
+    /// Use mock PDP server for testing
+    #[arg(
+        long,
+        default_value = "true",
+        help = "Create a local mock PDP server for testing (recommended for demos)"
+    )]
+    mock_pdp: bool,
+
+    /// Disable mock PDP server (convenience flag)
+    #[arg(
+        long,
+        help = "Disable mock PDP server (equivalent to --mock-pdp=false)"
+    )]
+    no_mock_pdp: bool,
+
     /// Demo mode (run through all scenarios)
     #[arg(
         long,
@@ -111,6 +126,16 @@ impl Args {
         }
     }
 
+    /// Check if mock PDP should be used
+    pub fn mock_pdp(&self) -> bool {
+        // If no_mock_pdp is set, override mock_pdp to false
+        if self.no_mock_pdp {
+            false
+        } else {
+            self.mock_pdp
+        }
+    }
+
     /// Check if demo mode is enabled
     pub fn demo_mode(&self) -> bool {
         self.demo_mode

data-plane/examples/src/authzen-demo/args.rs

@@ -13,16 +13,97 @@ use clap::Parser;
 use slim_datapath::messages::{Agent, AgentType};
 use tokio::time;
 use tracing::{info, warn, error};
+use wiremock::matchers::{method, path, body_json};
+use wiremock::{Mock, MockServer, ResponseTemplate};
 
 use slim::config;
 use slim_service::{
-    FireAndForgetConfiguration,
-    session::SessionConfig,
     authzen_integration::{AuthZenService, AuthZenServiceConfig},
 };
 
 mod args;
 
+/// AuthZEN response for mock server
+#[derive(serde::Serialize)]
+struct MockAuthZenResponse {
+    decision: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    context: Option<serde_json::Value>,
+}
+
+/// Set up a mock AuthZEN PDP server with realistic authorization policies
+async fn setup_mock_pdp() -> Result<MockServer, Box<dyn std::error::Error>> {
+    let mock_server = MockServer::start().await;
+
+    // Policy 1: Deny cross-organization routes (external organizations)
+    Mock::given(method("POST"))
+        .and(path("/access/v1/evaluation"))
+        .and(body_json(serde_json::json!({
+            "subject": {"type": "agent", "id": serde_json::Value::Null, "properties": serde_json::Value::Null},
+            "action": {"name": "route"},
+            "resource": {"type": "agent_type", "id": serde_json::Value::Null, "properties": {"organization": "external"}}
+        })))
+        .respond_with(ResponseTemplate::new(200).set_body_json(MockAuthZenResponse {
+            decision: false,
+            context: Some(serde_json::json!({"policy": "deny_cross_org_routes"})),
+        }))
+        .mount(&mock_server)
+        .await;
+
+    // Policy 2: Deny large messages (over 5MB) - simplified matching 
+    Mock::given(method("POST"))
+        .and(path("/access/v1/evaluation"))
+        .and(|req: &wiremock::Request| {
+            if let Ok(body) = std::str::from_utf8(&req.body) {
+                body.contains(r#""name":"publish"#) && body.contains("10000000")
+            } else {
+                false
+            }
+        })
+        .respond_with(ResponseTemplate::new(200).set_body_json(MockAuthZenResponse {
+            decision: false,
+            context: Some(serde_json::json!({"policy": "deny_large_messages"})),
+        }))
+        .mount(&mock_server)
+        .await;
+
+    // Policy 3: Deny cross-org subscriptions - simplified matching
+    Mock::given(method("POST"))
+        .and(path("/access/v1/evaluation"))
+        .and(|req: &wiremock::Request| {
+            if let Ok(body) = std::str::from_utf8(&req.body) {
+                body.contains(r#""name":"subscribe"#) && body.contains(r#""organization":"external"#)
+            } else {
+                false
+            }
+        })
+        .respond_with(ResponseTemplate::new(200).set_body_json(MockAuthZenResponse {
+            decision: false,
+            context: Some(serde_json::json!({"policy": "deny_cross_org_subscribe"})),
+        }))
+        .mount(&mock_server)
+        .await;
+
+    // Default policy: Allow all other requests (same-org operations)
+    Mock::given(method("POST"))
+        .and(path("/access/v1/evaluation"))
+        .respond_with(ResponseTemplate::new(200).set_body_json(MockAuthZenResponse {
+            decision: true,
+            context: Some(serde_json::json!({"policy": "default_allow"})),
+        }))
+        .mount(&mock_server)
+        .await;
+
+    info!("🎭 Mock PDP server started at: {}", mock_server.uri());
+    info!("📋 Configured policies:");
+    info!("   ✅ Same-organization operations: ALLOW");
+    info!("   ❌ Cross-organization routes/subscriptions: DENY"); 
+    info!("   ❌ Large messages (>5MB): DENY");
+    info!("   ✅ Normal operations: ALLOW");
+
+    Ok(mock_server)
+}
+
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
     // Parse command line arguments
@@ -36,14 +117,32 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
     info!("🚀 Starting SLIM AuthZEN Integration Example");
     info!("📄 Config file: {}", config_file);
 
+    // Set up mock PDP if enabled
+    let _mock_server = if args.mock_pdp() {
+        Some(setup_mock_pdp().await?)
+    } else {
+        None
+    };
+
+    // Determine PDP endpoint
+    let pdp_endpoint = if args.mock_pdp() {
+        if let Some(ref mock_server) = _mock_server {
+            mock_server.uri()
+        } else {
+            args.pdp_endpoint()
+        }
+    } else {
+        args.pdp_endpoint()
+    };
+
     // Create service with AuthZEN integration
     let id = slim_config::component::id::ID::new_with_str("slim/0").unwrap();
     let mut svc = config.services.remove(&id).unwrap();
 
     // Configure AuthZEN integration
     let authzen_config = AuthZenServiceConfig {
         enabled: args.authzen_enabled(),
-        pdp_endpoint: args.pdp_endpoint(),
+        pdp_endpoint: pdp_endpoint.clone(),
         timeout: Duration::from_secs(5),
         cache_ttl: Duration::from_secs(300),
         fallback_allow: args.fallback_allow(),
@@ -57,11 +156,15 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         if authzen_service.is_enabled() { "ENABLED" } else { "DISABLED" });
 
     if authzen_service.is_enabled() {
-        info!("🏠 PDP Endpoint: {}", args.pdp_endpoint());
+        if args.mock_pdp() {
+            info!("🎭 Using Mock PDP: {}", pdp_endpoint);
+        } else {
+            info!("🏠 PDP Endpoint: {}", pdp_endpoint);
+        }
         info!("🛡️  Fallback Policy: {}", 
             if args.fallback_allow() { "ALLOW (fail-open)" } else { "DENY (fail-closed)" });
 
-        if !args.fallback_allow() {
+        if !args.fallback_allow() && !args.mock_pdp() {
             info!("ℹ️  Note: Since no PDP is running, all operations will be DENIED (fail-closed security)");
         }
     }
@@ -70,6 +173,10 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
     svc.run().await?;
 
     // Demo scenarios
+    if args.mock_pdp() {
+        info!("🎬 Running demo with Mock PDP - you should see realistic authorization decisions");
+    }
+    info!("ℹ️  This demo focuses on AuthZEN authorization testing (actual SLIM operations skipped)");
     demo_agent_creation(&mut svc, &authzen_service).await?;
     demo_route_authorization(&mut svc, &authzen_service).await?;
     demo_publish_authorization(&mut svc, &authzen_service).await?;
@@ -84,6 +191,9 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         Err(_) => error!("⏰ Timeout waiting for service shutdown"),
     }
 
+    // Keep mock server alive until the end
+    drop(_mock_server);
+
     Ok(())
 }
 
@@ -123,7 +233,7 @@ async fn demo_agent_creation(
 
 /// Demonstrate route authorization
 async fn demo_route_authorization(
-    svc: &mut slim_service::Service,
+    _svc: &mut slim_service::Service,
     authzen_service: &AuthZenService,
 ) -> Result<(), Box<dyn std::error::Error>> {
     info!("\n🛣️  === ROUTE AUTHORIZATION DEMO ===");
@@ -143,9 +253,8 @@ async fn demo_route_authorization(
     ).await {
         Ok(true) => {
             info!("✅ Route authorization GRANTED");
-            // Actually create the route
-            svc.set_route(&publisher_agent, &target_type, None, connection_id as u64).await?;
-            info!("🛣️  Route established successfully");
+            // Note: Skipping actual route creation to avoid service connection errors
+            info!("🛣️  (Route creation skipped in demo - authorization successful)");
         }
         Ok(false) => {
             info!("❌ Route authorization DENIED by policy");
@@ -176,7 +285,7 @@ async fn demo_route_authorization(
 
 /// Demonstrate publish authorization
 async fn demo_publish_authorization(
-    svc: &mut slim_service::Service,
+    _svc: &mut slim_service::Service,
     authzen_service: &AuthZenService,
 ) -> Result<(), Box<dyn std::error::Error>> {
     info!("\n📤 === PUBLISH AUTHORIZATION DEMO ===");
@@ -199,15 +308,8 @@ async fn demo_publish_authorization(
         Ok(true) => {
             info!("✅ Publish authorization GRANTED");
 
-            // Create a session and publish a message
-            let session = svc.create_session(
-                &publisher_agent,
-                SessionConfig::FireAndForget(FireAndForgetConfiguration::default()),
-            ).await?;
-
-            let message = "Hello from AuthZEN demo!".as_bytes().to_vec();
-            svc.publish(&publisher_agent, session, &target_type, target_id, message).await?;
-            info!("📤 Message published successfully");
+            // Note: Skipping actual session creation and publishing to avoid service errors
+            info!("📤 (Message publishing skipped in demo - authorization successful)");
         }
         Ok(false) => {
             info!("❌ Publish authorization DENIED by policy");
@@ -242,7 +344,7 @@ async fn demo_publish_authorization(
 
 /// Demonstrate subscribe authorization
 async fn demo_subscribe_authorization(
-    svc: &mut slim_service::Service,
+    _svc: &mut slim_service::Service,
     authzen_service: &AuthZenService,
 ) -> Result<(), Box<dyn std::error::Error>> {
     info!("\n📥 === SUBSCRIBE AUTHORIZATION DEMO ===");
@@ -263,9 +365,8 @@ async fn demo_subscribe_authorization(
         Ok(true) => {
             info!("✅ Subscribe authorization GRANTED");
 
-            // Actually create subscription
-            svc.subscribe(&subscriber_agent, &source_type, source_id, None).await?;
-            info!("📥 Subscription created successfully");
+            // Note: Skipping actual subscription to avoid service errors
+            info!("📥 (Subscription skipped in demo - authorization successful)");
         }
         Ok(false) => {
             info!("❌ Subscribe authorization DENIED by policy");