Logonme.ps1

enum DataType {
    Tenants
    OidcAuthorizations
    OidcTokens
    Saml2Tokens
    AuditEvents
    Users
    Links
    Devices
    Claims
    Roles
    Applications
    HotpTokens
    TotpTokens
    Fido2Tokens
    Passwords
    Templates
    Sessions
}

enum ConfigType {
    CertificatesSigning
    CertificatesEncryption
    CertificatesConnection
    CertificateStoreCurrentUser
    CertificateStoreLocalMachine
    CertificateStoreFile
    CertificateStoreSql
    CredsDirectoryService
    CredsOtp
    CredsPassword
    CredsSharedSecret
    CredsFido2
    DirectoryAd
    DirectoryAdam
    DirectorySql
    DirectoryPortWise
    DirectoryNull
    BankIdV5
    Sts
    StsClaimsMapIngress
    StsClaimsMapEgress
    StsRelyingParty
    Oidc
    OidcClient
    OidcClientSettings
    OidcResource
    OidcScope
    Saml2
    Saml2IdentityProvider
    Saml2ServiceProvider
    AccountSelfService
    AuthenticationPolicy
    AuthenticationPolicyPath
    AuthenticationUserService
    AuthenticationProvisioningService
    AuthenticationEmailChallenge
    FormsMethodBankID
    FormsMethodCapcha
    FormsMethodEmailChallenge
    FormsMethodFido2
    FormsMethodFido2Enrollment
    FormsMethodImpersonation
    FormsMethodOtpEnrollment
    FormsMethodPassword
    FormsMethodPasswordReset
    FormsMethodUserRegistration
    FormsMethodSaml2
    FormsMethodSmsOtp
    FormsMethodSplash
    EmailSmtp
    EmailSendGrid
    SmsTelia
    SmsMobilstart
    SmsEmail
    SmsTurnpike
    UserVerificationBankID
    UserSyncLogonme4
    UserSyncNull
}

class ApiEndpointConfigs {
    [Hashtable] $dataMap_ = @{
        [DataType]::Tenants            = '/data/tenants'
        [DataType]::OidcAuthorizations = '/data/oidc_authorizations'
        [DataType]::OidcTokens         = '/data/oidc_tokens'
        [DataType]::Saml2Tokens        = '/data/saml2_tokens'
        [DataType]::AuditEvents        = '/data/audit_events'
        [DataType]::Users              = '/data/users'
        [DataType]::Devices            = '/data/user_devices'
        [DataType]::Claims             = '/data/user_claims'
        [DataType]::Roles              = '/data/user_roles'
        [DataType]::Applications       = '/data/user_applications'
        [DataType]::Links              = '/data/user_links'
        [DataType]::HotpTokens         = '/data/creds_tokens_hotp'
        [DataType]::TotpTokens         = '/data/creds_tokens_totp'
        [DataType]::Fido2Tokens        = '/data/creds_tokens_fido2'
        [DataType]::Passwords          = '/data/creds_password'
        [DataType]::Templates          = '/data/templates'
        [DataType]::Sessions           = '/data/sessions'
    }

    [Hashtable] $configMap_ = @{
        [ConfigType]::CertificatesSigning          = '/config/certificates_signing'
        [ConfigType]::CertificatesEncryption       = '/config/certificates_encryption'
        [ConfigType]::CertificatesConnection       = '/config/certificates_connection'
        [ConfigType]::CertificateStoreCurrentUser  = '/config/certificates_store_current_user'
        [ConfigType]::CertificateStoreLocalMachine = '/config/certificates_store_local_machine'
        [ConfigType]::CertificateStoreFile         = '/config/certificates_store_file'
        [ConfigType]::CertificateStoreSql          = '/config/certificates_store_sql'
        [ConfigType]::CredsDirectoryService        = '/config/credstore_directory'
        [ConfigType]::CredsOtp                     = '/config/credstore_otp'
        [ConfigType]::CredsPassword                = '/config/credstore_password'
        [ConfigType]::CredsSharedSecret            = '/config/credstore_shared_secret'
        [ConfigType]::CredsFido2                   = '/config/credstore_fido2'
        [ConfigType]::DirectoryAd                  = '/config/directory_service_ad'
        [ConfigType]::DirectoryAdam                = '/config/directory_service_adam'
        [ConfigType]::DirectoryNull                = '/config/directory_service_null'
        [ConfigType]::DirectoryPortWise            = '/config/directory_service_portwise'
        [ConfigType]::DirectorySql                 = '/config/directory_service_sql'
        [ConfigType]::BankIdV5                     = '/config/eid_client_bankidv5'
        [ConfigType]::Sts                          = '/config/sts'
        [ConfigType]::StsClaimsMapIngress          = '/config/sts_claimsmap_ingress'
        [ConfigType]::StsClaimsMapEgress           = '/config/sts_claimsmap_egress'
        [ConfigType]::StsRelyingParty              = '/config/sts_relying_party'
        [Configtype]::Oidc                         = '/config/oidc'
        [ConfigType]::OidcClient                   = '/config/oidc_client'
        [ConfigType]::OidcClientSettings           = '/config/oidc_client_settings'
        [ConfigType]::OidcResource                 = '/config/oidc_resource'
        [ConfigType]::OidcScope                    = '/config/oidc_scope'
        [ConfigType]::Saml2                        = '/config/saml2'
        [ConfigType]::Saml2ServiceProvider         = '/config/saml2_service_provider'
        [ConfigType]::Saml2IdentityProvider        = '/config/saml2_identity_provider'
        [ConfigType]::AccountSelfService           = '/config/provisioning_account_self_service'
        [ConfigType]::AuthenticationPolicy         = '/config/authentication_policy'
        [ConfigType]::AuthenticationPolicyPath     = '/config/authentication_policy_path'
        [ConfigType]::AuthenticationUserService    = '/config/authentication_user_service'
        [ConfigType]::AuthenticationProvisioningService    = '/config/authentication_provisioning_service'
        [ConfigType]::AuthenticationEmailChallenge = '/config/authentication_email_challenge'
        [ConfigType]::FormsMethodBankID            = '/config/forms_bankid'
        [ConfigType]::FormsMethodCapcha            = '/config/forms_capcha'
        [ConfigType]::FormsMethodEmailChallenge    = '/config/forms_email_challenge'
        [ConfigType]::FormsMethodFido2             = '/config/forms_fido2'
        [ConfigType]::FormsMethodFido2Enrollment   = '/config/forms_fido2_enrollment'
        [ConfigType]::FormsMethodImpersonation     = '/config/forms_impersonation'
        [ConfigType]::FormsMethodOtpEnrollment     = '/config/forms_otp_enrollment'
        [ConfigType]::FormsMethodPassword          = '/config/forms_password'
        [ConfigType]::FormsMethodPasswordReset     = '/config/forms_password_reset'
        [ConfigType]::FormsMethodUserRegistration  = '/config/forms_user_registration'
        [ConfigType]::FormsMethodSaml2             = '/config/forms_saml2'
        [ConfigType]::FormsMethodSmsOtp            = '/config/forms_smsotp'
        [ConfigType]::FormsMethodSplash            = '/config/forms_splash'
        [ConfigType]::EmailSmtp                    = '/config/notifier_mail_smtp'
        [ConfigType]::EmailSendGrid                = '/config/notifier_mail_sendgrid'
        [ConfigType]::SmsTelia                     = '/config/notifier_sms_telia'
        [ConfigType]::SmsMobilstart                = '/config/notifier_sms_mobilstart'
        [ConfigType]::SmsEmail                     = '/config/notifier_sms_email'
        [ConfigType]::SmsTurnpike                  = '/config/notifier_sms_turnpike'
        [ConfigType]::UserVerificationBankID       = '/config/user_verification_bankid'
        [ConfigType]::UserSyncLogonme4             = '/config/usersync_logonme4'
        [ConfigType]::UserSyncNull                 = '/config/usersync_null'
    }

    [string] GetDataOdataPath([DataType] $dataType) {
        return $this.dataMap_[$dataType]
    }

    [string] GetConfigOdataPath([ConfigType] $configType) {
        return $this.configMap_[$configType]
    }
}

class ApiCredentials {
    [string] $AccessToken
    [string] $TokenType
    [int] $ExpiresIn;

    ApiCredentials([string]$accessToken, [string]$tokenType, [int]$expiresIn) {
        $this.AccessToken = $accessToken;
        $this.TokenType = $tokenType;
        $this.ExpiresIn = $expiresIn;
    }
}

class ApiConfig {
    [string] $Environment
    [string] $LoginServiceUrl
    [string] $ApiBaseUrl
    [string] $ApiTenantId
    [string] $ApiClientId
    [string] $ApiClientSecret
    [string] $ApiTimeout
    [string] $ApiSetupUsername
    [string] $ApiSetupPassword
    [string] $ServerRoot

    ApiConfig([string]$filePath, [string]$environment) {
        $ini = $this.GetIniContent($filePath)
        $this.Environment = $environment
        $this.LoginServiceUrl = $ini[$environment]["LoginServiceUrl"]
        $this.ApiBaseUrl = $ini[$environment]["ApiBaseUrl"]
        $this.ApiTenantId = $ini[$environment]["ApiTenantId"]
        $this.ApiClientId = $ini[$environment]["ApiClientId"]
        $this.ApiClientSecret = $ini[$environment]["ApiClientSecret"]
        $this.ApiTimeout = $ini[$environment]["ApiTimeout"]
        $this.ApiSetupUsername = $ini[$environment]["ApiSetupUsername"]
        $this.ApiSetupPassword = $ini[$environment]["ApiSetupPassword"]
        $this.ServerRoot = $ini[$environment]["ServerRoot"]
    }

    [HashTable] GetIniContent($filePath) {
        $ini = @{}
        $section = ""
        $CommentCount = 0
        switch -regex -file $filePath {
            "^\[(.+)\]" {
                # Section
                $section = $matches[1]
                $ini[$section] = @{}
                $CommentCount = 0
            }
            "^(;.*)$" {
                # Comment
                $value = $matches[1]
                $CommentCount = $CommentCount + 1
                $name = "Comment" + $CommentCount
                $ini[$section][$name] = $value
            } 
            "(.+?)\s*=(.*)" {
                # Key
                $name, $value = $matches[1..2]
                $ini[$section][$name] = $value
            }
        }
        return $ini
    }

    Dump() {
        Write-Host -Separator "-"
        Write-Host "Environment =" $this.Environment
        Write-Host "LoginServiceUrl =" $this.LoginServiceUrl
        Write-Host "ApiBaseUrl =" $this.ApiBaseUrl
        Write-Host "ApiTenantId =" $this.ApiTenantId
        Write-Host "ApiClientId =" $this.ApiClientId
        Write-Host "ApiClientSecret =" $this.ApiClientSecret
        Write-Host "ApiTimeout =" $this.ApiTimeout
        Write-Host "ApiSetupUsername =" $this.ApiSetupUsername
        Write-Host "ApiSetupPassword =" $this.ApiSetupPassword
        Write-Host -Separator "-"
    }

    DumpEnvironmentVariables() {
        Write-Host -Separator "-"
        Write-Host " LogonmeModuleFile = '$env:LogonmeModuleFile'"
        Write-Host " LogonmeVersion = '$env:LogonmeVersion'"
        Write-Host " LogonmeSharedVolumeDirectory = '$env:LogonmeSharedVolumeDirectory'"
        Write-Host " LogonmeTenant = '$env:LogonmeTenant'"
        Write-Host -Separator "-"
    }
}


if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type) {
    $certCallback = @"
    using System;
    using System.Net;
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
    public class ServerCertificateValidationCallback
    {
        public static void Ignore()
        {
            if(ServicePointManager.ServerCertificateValidationCallback ==null)
            {
                ServicePointManager.ServerCertificateValidationCallback +=
                    delegate
                    (
                        Object obj,
                        X509Certificate certificate,
                        X509Chain chain,
                        SslPolicyErrors errors
                    )
                    {
                        return true;
                    };
            }
        }
    }
"@

    Add-Type $certCallback
}
[ServerCertificateValidationCallback]::Ignore()
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

class ApiClient {
    [ApiConfig] $Config
    [ApiEndpointConfigs] $Endpoints
    [ApiCredentials] $Credentials

    ApiClient([ApiConfig] $config) {
        $this.Config = $config;
        $this.Endpoints = [ApiEndpointConfigs]::new();
        $this.Credentials = $this.AquireAccessToken();
    }

    [object] GetByFilter([string] $odataPath, [string] $odataFilter) {
        $uri = ($this.Config.ApiBaseUrl + $odataPath + '/?$filter=' + $odataFilter)
        $accessToken = $this.Credentials.AccessToken
        $headers = @{Authorization = "Bearer $accessToken" }
        $result = Invoke-RestMethod -SkipCertificateCheck -Uri $uri -Method Get -Headers $headers | ForEach-Object { $_ }
        if ($result -isnot [array]) {
            $result = @( $result )
        }
        $result | ForEach-Object {
            $refUri = ($this.Config.ApiBaseUrl + $odataPath + '/' + $_.id)
            $_ | Add-Member -MemberType NoteProperty -Name "URL" -Value $refUri
        }
        return $result
    }

    [object] GetWithBasicAuth([string] $path) {
        $uri = ($this.Config.ApiBaseUrl + $path)
        $accessToken = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}@{1}:{2}" -f $this.Config.ApiSetupUsername, $this.Config.ApiTenantId, $this.Config.ApiSetupPassword)))
        $headers = @{Authorization = "Basic $accessToken" }
        return Invoke-RestMethod -SkipCertificateCheck -Uri $uri -Method Get -Headers $headers -ContentType "application/json"
    }

    [object] Get([string] $odataPath) {
        return $this.Get($odataPath, $null)
    }

    [object] Get([string] $odataPath, [object] $id) {
        $uri = ($this.Config.ApiBaseUrl + $odataPath + '/' + $id)
        $accessToken = $this.Credentials.AccessToken
        $headers = @{Authorization = "Bearer $accessToken" }
        $result = Invoke-RestMethod -SkipCertificateCheck -Uri $uri -Method Get -Headers $headers -ContentType "application/json"
        if ($result -isnot [array]) {
            $result | Add-Member -MemberType NoteProperty -Name "URL"  -Value $uri
            $result = @( $result )
            return $result;
        }
        $result | ForEach-Object {
            $_ | Add-Member -MemberType NoteProperty -Name "URL" -Value ($uri + $_.id)
        }
        return $result
    }

    [object] Post([string] $odataPath, [object] $objData) {
        $uri = ($this.Config.ApiBaseUrl + $odataPath)
        $accessToken = $this.Credentials.AccessToken
        $headers = @{Authorization = "Bearer $accessToken" }
        $obj = $objData.PsObject.Copy()
        $obj.PSObject.Properties.Remove("URL")
        $json = $objData | ConvertTo-Json
        return Invoke-RestMethod -SkipCertificateCheck -Uri $uri -Method Post -Body $json -Headers $headers -ContentType "application/json"
    }

    [object] Upload([string] $odataPath, [object] $id, [string] $uploadFile) {
        $uri = ($this.Config.ApiBaseUrl + $odataPath + '/upload/' + $id)
        $accessToken = $this.Credentials.AccessToken
        $headers = @{Authorization = "Bearer $accessToken" }
        $fileContents = Get-Item $uploadFile
        return Invoke-RestMethod -SkipCertificateCheck -Uri $uri -Method Post -ContentType "multipart/form-data" -Headers $headers -Form @{ file = $fileContents }
    }

    [object] Put([object] $objData) {
        $uri = $objData.URL
        $accessToken = $this.Credentials.AccessToken
        $headers = @{Authorization = "Bearer $accessToken" }
        $obj = $objData.PsObject.Copy()
        $obj.PSObject.Properties.Remove("URL")
        $json = $obj | ConvertTo-Json 
        return Invoke-RestMethod -SkipCertificateCheck -Uri $uri -Method Put -Body $json -Headers $headers -ContentType "application/json"
    }

    [string] Delete([object] $objData) {
        $uri = $objData.URL
        $accessToken = $this.Credentials.AccessToken
        $headers = @{Authorization = "Bearer $accessToken" }
        return Invoke-RestMethod -SkipCertificateCheck -Uri $uri -Method Delete -Headers $headers -ContentType "application/json"
    }

    [ApiCredentials] AquireAccessToken() {
        $Uri = $this.Config.LoginServiceUrl + "/ls/" + $this.Config.ApiTenantId + "/connect/token"
        try {
            $Body = @{
                grant_type    = "client_credentials"
                client_id     = $this.Config.ApiClientId
                client_secret = $this.Config.ApiClientSecret
                scope         = 'management'
                redirect_uri  = 'https://localhost/'
            }
            $res = Invoke-RestMethod -SkipCertificateCheck -Uri $uri -Method Post -Body $body -ContentType "application/x-www-form-urlencoded" 
            return  [ApiCredentials]::new($res.access_token, $res.token_type, $res.expires_in)
        }
        catch {
            $exception = $Error[0]
            Write-Warning "Failed to aquire access token from '$Uri', exception is '$exception'";
            return $null
        }
    }
}


function Get-LogonmeApiClient {
    param(
        [Parameter(
            Mandatory = $false, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("env")]
        [string] $ConfigEnvironment = 'DEFAULT'
    )
    $configFile = '.\Logonme.ini'
    $configTemplateFile = (Join-Path -Path $PSScriptRoot -ChildPath 'LogonmeTemplate.ini')
    if (-not (Test-Path -Path $configFile)) {
        Write-Warning "Logon.me API Client Configuration file '$configFile' does not exists, copying default template file '$configTemplateFile' to current directory"
        Copy-Item $configTemplateFile $configFile
    }

    $config = [ApiConfig]::new($configFile, $ConfigEnvironment)
    Write-Host "Imported configuration" -ForegroundColor green
    $config.Dump()

    switch ($config.ServerRoot) {
        '.' {
            $dataDirectory = (Get-Location).Path
        } 
        Default {
            $dataDirectory = $config.ServerRoot
        }
    }
    $env:LogonmeTenant = ($config.ApiTenantId)
    $env:LogonmeSharedVolumeDirectory = ($dataDirectory)
    Write-Host "Exported environment variables" -ForegroundColor green
    $config.DumpEnvironmentVariables()
    
    return [ApiClient]::new($config)
}

function Get-LogonmeDockerComposeFile {
    $dockerComposeTemplateFile = (Join-Path -Path $PSScriptRoot -ChildPath 'docker-compose-template.yml') 
    Get-Content -Path $dockerComposeTemplateFile
}


function Get-EnumValues {
    Param([string]$enum)

    $enumValues = @{}
    [enum]::getvalues([type]$enum) |
    ForEach-Object { 
        $enumValues.add($_, $_.value__)
    }
    return $enumValues
}

function Get-LogonmeConfig {
    param(
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("type")]
        [ConfigType]$ConfigType
        ,
        [Parameter(
            Mandatory = $false, 
            ValueFromPipeline = $false,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("filter")]
        [String]$OdataFilter
    )
    $odataPath = $ApiClient.Endpoints.GetConfigOdataPath($ConfigType)
    if ($OdataFilter) {
        $ApiClient.GetByFilter($odataPath, $odataFilter)
    }
    else {
        $ApiClient.Get($odataPath)
    }
}

function Add-LogonmeConfigFromFileData {
    param(
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("type")]
        [ConfigType]$ConfigType
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [string]$Id
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [string]$UploadFile
    )
    $odataPath = $ApiClient.Endpoints.GetConfigOdataPath($ConfigType)
    $ApiClient.Upload($odataPath, $id, $uploadFile)
}




function Add-LogonmeConfig {
    param(
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("type")]
        [ConfigType]$ConfigType
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [string]$Id
    )
    $odataPath = $ApiClient.Endpoints.GetConfigOdataPath($ConfigType)
    $obj = @{ id = $id }
    $temp = $ApiClient.Post($odataPath, $obj)
    $ApiClient.Get($odataPath, $id)
}

function Add-LogonmeData {
    param(
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("type")]
        [DataType]$DataType
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [object]$obj
    )
    $odataPath = $ApiClient.Endpoints.GetDataOdataPath($DataType)
    return $ApiClient.Post($odataPath, $obj)
}

function Get-LogonmeData {
    param(
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("type")]
        [DataType]$DataType
        ,
        [Parameter(
            Mandatory = $false, 
            ValueFromPipeline = $false,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("filter")]
        [String]$OdataFilter
    )
    $odataPath = $ApiClient.Endpoints.GetDataOdataPath($DataType)
    if ($OdataFilter) {
        $ApiClient.GetByFilter($odataPath, $odataFilter)
    }
    else {
        $ApiClient.Get($odataPath)
    }
}

function Remove-LogonmeObject {
    param (
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("obj")]
        [object]$Object
    )
    $ApiClient.Delete($Object)
}

function Set-LogonmeObject {
    param (
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("obj")]
        [object]$Object
    )
    $ApiClient.Put($Object)
}


Set-Alias -Name Set-LogonmeConfig -Value Set-LogonmeObject
Set-Alias -Name Set-LogonmeData -Value Set-LogonmeObject
Set-Alias -Name Remove-LogonmeConfig -Value Remove-LogonmeObject
Set-Alias -Name Remove-LogonmeData -Value Remove-LogonmeObject


enum SetupOperation {
    SeedConfiguration
    SeedData
    VerifyConfiguration
    VerifyLocalization
    DumpLocalization
    ClearConfigurationCache
    ClearSessionCache
    Drop
}

function Invoke-LogonmeSetup {
    param(  
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [SetupOperation]$Operation
        ,
        [Parameter(
            Mandatory = $false, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("env")]
        [string] $Environment = "develop"
    )

    switch ( $Operation ) {
        SeedConfiguration {
            $ApiClient.GetWithBasicAuth("/setup/seed_configuration" + '?environment=' + $Environment)
        }
        SeedData {
            $ApiClient.GetWithBasicAuth("/setup/seed_data" + '?environment=' + $Environment)
        }
        VerifyConfiguration {
            $ApiClient.GetWithBasicAuth("/setup/verify_configuration")
        }
        VerifyLocalization {
            $uri = ($ApiClient.Config.LoginServiceUrl + '/ls/' + $ApiClient.Config.ApiTenantId + '/localization/verify')
            Invoke-RestMethod -SkipCertificateCheck -Method Get -Uri $uri
        }
        DumpLocalization {
            $uri = ($ApiClient.Config.LoginServiceUrl + '/ls/' + $ApiClient.Config.ApiTenantId + '/localization/i18n')
            Invoke-RestMethod -SkipCertificateCheck -Method Get -Uri $uri
        }
        ClearConfigurationCache {
            $uri = ($ApiClient.Config.LoginServiceUrl + '/ls/' + $ApiClient.Config.ApiTenantId + '/config/clear')
            $res = Invoke-RestMethod -SkipCertificateCheck -Method Get -Uri $uri
            Write-Host $res
        }      
        ClearSessionCache {
            Get-LogonmeData -ApiClient $ApiClient -DataType Sessions | ForEach-Object { Logonme5-DeleteData -client $ApiClient -Object $_ }
        }
        Drop {
            $ApiClient.GetWithBasicAuth("/setup/drop")
        }
    }
}

function Get-LogonmeVersion {
    param(  
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
    )

    $managementServiceVersion = $ApiClient.GetWithBasicAuth("/about/version")
    $uri = ($ApiClient.Config.LoginServiceUrl + '/ls/' + $ApiClient.Config.ApiTenantId + '/about/version')
    $loginServiceVersion = Invoke-RestMethod -SkipCertificateCheck -Method Get -Uri $uri

    Write-Host "Management-Service: $managementServiceVersion"
    Write-Host "Login-Service: $loginServiceVersion"
}


function MakeARestCall { 
    param(
        [string] $Uri
        ,
        [string] $AccessToken
        ,
        [string] $Username
        ,
        [string] $LogFile
    )
    try {
        $Headers = @{Authorization = "Bearer $AccessToken" }
        return Invoke-RestMethod -SkipCertificateCheck -Uri $Uri -Method Get -Headers $Headers -ContentType "application/json" -Verbose
    }
    catch {
        Write-Warning "$Username FAILED"
        Add-Content $LogFile $Username
    }
}

function Sync-LogonmeUsers {
    param(  
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $false, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("if")]
        [string]$ImportFile
        ,
        [Parameter(
            Mandatory = $false, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("uid")]
        [string]$Username
    )

    if (-not ($ImportFile -or $Username)) {
        Write-Host "parameter ``ImportFile`` or ``Username`` must be specified"
        return
    }

    $baseUrl = $ApiClient.Config.ApiBaseUrl
    $accessToken = $ApiClient.Credentials.AccessToken
    $funcDef = $function:MakeARestCall.ToString() 

    $logFile = "sync-user-errors.txt"
    if (Test-Path $logFile -PathType leaf) {
        Clear-Content $logFile
    }

    if ($ImportFile) {
        $users = Get-Content $importFile
    }
    if ($Username) {
        $users = @( $Username )
    }


    $users | ForEach-Object -Parallel {
        $function:MakeARestCall = $using:funcDef
        $uri = $using:baseUrl + '/user_provisioning/sync-user?loginName=' + $_
        MakeARestCall -Uri $uri -AccessToken $using:accessToken -Username $_ -LogFile $using:logFile
    } -ThrottleLimit 10 
}

enum AdfsConfigOperation {
    Install
    Uninstall
}

function Get-LogonmeAdfsConfig {
    param(  
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [AdfsConfigOperation]$Operation
    )

    switch ( $Operation ) {
        Install {
            $ApiClient.Get('/config/adfs/install')
        }
        Uninstall {
            $ApiClient.Get('/config/adfs/uninstall')
        }
    }
}

function Find-LogonmeUsers {
    param(  
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("l")]
        [string]$Login
    )

    $escLogin = [uri]::EscapeDataString($Login)
    $result = New-Object System.Collections.ArrayList
  

    $u = Get-LogonmeData -ApiClient $ApiClient -DataType Users -OdataFilter "username eq '$escLogin'"
    if ($null -ne $u) {
        $result.Add($u) | Out-Null
    }
    $users = Get-LogonmeData -ApiClient $ApiClient -DataType Users -OdataFilter "emailAddress eq '$escLogin'"
    if ($null -ne $users -and $users.count -gt 0) {
        $result += $users
    }
    $users = Get-LogonmeData -ApiClient $ApiClient -DataType Users -OdataFilter "mobilePhone eq '$escLogin'"
    if ($null -ne $users -and $users.count -gt 0) {
        $result += $users
    }
    return $result
}



function Get-LogonmeUserData {
    param(  
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("l")]
        [string]$Login
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [DataType]$DataType
    )

    $users = Find-LogonmeUsers -ApiClient $ApiClient -Login $Login
    if ($null -ne $users) {
        if ($users.count -gt 1) {
            Write-Error "User search retured more than multiple users, use 'username' resolve this"
            return
        }
        $u = $users[0]
        $uid = $u.id
    
        return Get-LogonmeData -ApiClient $ApiClient -DataType $DataType -OdataFilter "userId eq '$uid'"
    }
}

function Add-LogonmeUserRole {
    param(  
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("l")]
        [string]$Login
        ,
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [string]$Name
        ,
        [Parameter(
            Mandatory = $false, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [string]$Issuer
        ,
        [Parameter(
            Mandatory = $false, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [string]$ClaimType
    )

    if (-not $Issuer) {
        $Issuer = "Logonme5" # default Issuer
    }

    if (-not $ClaimType) {
        $ClaimType = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" # default claim type
    }

    $users = Find-LogonmeUsers -ApiClient $ApiClient -Login $login
    if ($null -ne $users) {
        if ($users.count -gt 1) {
            Write-Error "User search retured more than multiple users, use 'username' resolve this"
            return
        }
        $u = $users[0]

        $obj = @{
            id        = "rid-" + [guid]::NewGuid().ToString("n")
            userId    = $u.id
            issuer    = $Issuer
            name      = $Name
            claimType = $ClaimType
        }
        $temp = Add-LogonmeData -ApiClient $ApiClient -DataType Roles -obj $obj
        if ($temp) {
            $uid = $obj.userId
            $rid = $obj.id
            Write-Host "Successfully created role '$Name' ($rid) for user '$uid'"
            return Get-LogonmeData -ApiClient $ApiClient -DataType Roles -OdataFilter "id eq '$rid'" 
        }
        Write-Error "Failed to create role '$Name' for user '$u'"

    }
    else {
        Write-Error "User not found"
    }
}

function Export-LogonmeData {
    param(  
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
    )

    Get-LogonmeData -ApiClient $ApiClient -DataType Tenants
    Get-LogonmeData -ApiClient $ApiClient -DataType OidcAuthorizations
    Get-LogonmeData -ApiClient $ApiClient -DataType OidcTokens
    Get-LogonmeData -ApiClient $ApiClient -DataType Saml2Tokens
    Get-LogonmeData -ApiClient $ApiClient -DataType AuditEvents
    Get-LogonmeData -ApiClient $ApiClient -DataType Users
    Get-LogonmeData -ApiClient $ApiClient -DataType Devices
    Get-LogonmeData -ApiClient $ApiClient -DataType Claims
    Get-LogonmeData -ApiClient $ApiClient -DataType Roles
    Get-LogonmeData -ApiClient $ApiClient -DataType Applications
    Get-LogonmeData -ApiClient $ApiClient -DataType Links
    Get-LogonmeData -ApiClient $ApiClient -DataType HotpTokens
    Get-LogonmeData -ApiClient $ApiClient -DataType TotpTokens
    Get-LogonmeData -ApiClient $ApiClient -DataType Fido2Tokens
    Get-LogonmeData -ApiClient $ApiClient -DataType Passwords
    Get-LogonmeData -ApiClient $ApiClient -DataType Sessions
}

function Export-LogonmeConfigs {
    param(  
        [Parameter(
            Mandatory = $true, 
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true)
        ]
        [Alias("client")]
        [ApiClient] $ApiClient
    )

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CertificatesSigning
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CertificatesEncryption
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CertificatesConnection

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CertificateStoreCurrentUser
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CertificateStoreLocalMachine
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CertificateStoreFile
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CertificateStoreSql

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CredsDirectoryService
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CredsOtp
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CredsPassword
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType CredsSharedSecret

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType DirectoryAd
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType DirectoryAdam
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType DirectorySql
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType DirectoryPortWise

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType BankIdV5

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType Sts
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType StsClaimsMapIngress
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType StsClaimsMapEgress
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType StsRelyingParty

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType Oidc
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType OidcClient
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType OidcClientSettings
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType OidcResource
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType OidcScope

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType Saml2
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType Saml2ServiceProvider
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType Saml2IdentityProvider

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType AccountSelfService

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType AuthenticationPolicy
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType AuthenticationPolicyPath
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType AuthenticationUserService
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType AuthenticationProvisioningService
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType AuthenticationEmailChallenge

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodBankID
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodCapcha
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodEmailChallenge
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodFido2
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodFido2Enrollment
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodImpersonation
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodOtpEnrollment
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodPassword
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodPasswordReset
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodUserRegistration
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodSmsOtp
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType FormsMethodSplash
 
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType EmailSmtp
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType EmailSendGrid

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType SmsTelia
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType SmsMobilstart
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType SmsEmail
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType SmsTurnpike

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType UserVerificationBankID

    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType UserSyncLogonme4
    Get-LogonmeConfig -ApiClient $ApiClient -ConfigType UserSyncNull
}