<#
SCRIPT 21 - AUTHENTICATION MODEL REPORT
READ-ONLY | SAFE FOR PRODUCTION
#>

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)]
    [string]$OutputCsv,
    [switch]$NoPrompt
)

Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"

Write-Host "SCRIPT 20 - AUTHENTICATION MODEL REPORT" -ForegroundColor Cyan
Write-Host "READ-ONLY - NO CHANGES WILL BE MADE" -ForegroundColor Green

# --------------------------------------------------
# Load SharePoint Snap-in
# --------------------------------------------------
try {
    if (-not (Get-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue)) {
        Add-PSSnapin Microsoft.SharePoint.PowerShell
    }
}
catch {
    throw "Run in SharePoint Management Shell. Error: $($_.Exception.Message)"
}

# --------------------------------------------------
# Output Setup
# --------------------------------------------------
$outDir = Split-Path -Path $OutputCsv -Parent
if ([string]::IsNullOrWhiteSpace($outDir)) {
    throw "Provide full OutputCsv path (e.g., C:\Temp\AuthModel.csv)"
}

if (-not (Test-Path $outDir)) {
    New-Item -Path $outDir -ItemType Directory -Force | Out-Null
}

$timestamp  = (Get-Date).ToString("yyyyMMdd_HHmmss")
$baseName   = [System.IO.Path]::GetFileNameWithoutExtension($OutputCsv)

$summaryPath = Join-Path $outDir "$baseName`_Summary_$timestamp.csv"
$logPath     = Join-Path $outDir "$baseName`_RunLog_$timestamp.txt"
$errorPath   = Join-Path $outDir "$baseName`_Errors_$timestamp.csv"

# --------------------------------------------------
# Logging
# --------------------------------------------------
$log    = New-Object System.Collections.Generic.List[string]
$errors = New-Object System.Collections.Generic.List[object]

function Log($msg) {
    $line = "[{0}] {1}" -f (Get-Date -Format "yyyy-MM-dd HH:mm:ss"), $msg
    $log.Add($line) | Out-Null
    Write-Host $line
}

function Add-ErrorRecord($scope,$msg) {
    $errors.Add([pscustomobject]@{
        Timestamp = Get-Date
        Scope     = $scope
        Message   = $msg
    }) | Out-Null
}

# --------------------------------------------------
# Prompt
# --------------------------------------------------
if (-not $NoPrompt) {
    Write-Host "This script audits authentication configuration." -ForegroundColor Yellow
    if ((Read-Host "Type YES to continue") -ne "YES") { return }
}

# --------------------------------------------------
# Risk Model
# --------------------------------------------------
function Get-RiskLevel($authType,$sslEnabled) {

    if ($sslEnabled -eq $false) {
        return "High"
    }

    if ($authType -match "NTLM|Classic") {
        return "Medium"
    }

    if ($authType -match "Claims|Negotiate") {
        return "Low"
    }

    return "Medium"
}

function Get-Score($risk) {
    switch ($risk) {
        "High"   { return 30 }
        "Medium" { return 60 }
        "Low"    { return 90 }
        default  { return 50 }
    }
}

function Get-Recommendation($risk) {
    switch ($risk) {
        "High" {
            return "Enable SSL and modern authentication before migration."
        }
        "Medium" {
            return "Validate authentication provider. Plan migration to claims-based model."
        }
        "Low" {
            return "Authentication configuration aligned with modern standards."
        }
    }
}

# --------------------------------------------------
# Main Execution
# --------------------------------------------------
$results = New-Object System.Collections.Generic.List[object]

try {
    $webApps = Get-SPWebApplication
    Log "Found $($webApps.Count) web applications"
}
catch {
    Add-ErrorRecord "WebAppDiscovery" $_.Exception.Message
    throw
}

foreach ($app in $webApps) {

    Log "Processing Web Application: $($app.Url)"

    foreach ($zone in [Microsoft.SharePoint.Administration.SPUrlZone]::GetValues([Microsoft.SharePoint.Administration.SPUrlZone])) {

        try {
            $iis = $app.IisSettings[$zone]
            if ($null -eq $iis) { continue }

            $authProviders = Get-SPAuthenticationProvider -WebApplication $app -Zone $zone -ErrorAction SilentlyContinue

            $authType = ($authProviders | ForEach-Object { $_.DisplayName }) -join "; "

            $ssl = $iis.SecureBindings -ne $null

            $risk = Get-RiskLevel -authType $authType -sslEnabled $ssl

            $results.Add([pscustomobject]@{
                WebAppUrl           = $app.Url
                Zone                = $zone
                AuthenticationType  = $authType
                UseSSL              = $ssl
                RiskLevel           = $risk
                Score               = Get-Score $risk
                Category            = "AuthenticationModel"
                ActionRecommendation= Get-Recommendation $risk
            }) | Out-Null
        }
        catch {
            Add-ErrorRecord $app.Url $_.Exception.Message
        }
    }
}

# --------------------------------------------------
# Export Reports
# --------------------------------------------------
$results | Export-Csv -Path $OutputCsv -NoTypeInformation -Encoding UTF8

$results | Group-Object RiskLevel | ForEach-Object {
    [pscustomobject]@{
        RiskLevel = $_.Name
        Count     = $_.Count
    }
} | Export-Csv -Path $summaryPath -NoTypeInformation -Encoding UTF8

$log | Set-Content $logPath

if ($errors.Count -gt 0) {
    $errors | Export-Csv -Path $errorPath -NoTypeInformation -Encoding UTF8
    Write-Host "ERROR REPORT: $errorPath" -ForegroundColor Yellow
}

Write-Host "DETAIL REPORT: $OutputCsv" -ForegroundColor Green
Write-Host "SUMMARY REPORT: $summaryPath" -ForegroundColor Green
Write-Host "RUN LOG: $logPath" -ForegroundColor Green
Write-Host "COMPLETE" -ForegroundColor Green