#requires -Version 7.0
<#
.SYNOPSIS
Initialize Tanium (Redden-TanREST) from config.json, then
export all roles whose name starts with a given prefix (default: CASH).

.PARAMETER Prefix
Role name prefix to match (prefix match, case-insensitive). Default: CASH.

.PARAMETER OutputFolder
Destination folder for JSON exports. Default: %TEMP%\RBAC
#>

param(
  [string]$Prefix = 'CASH',
  [string]$OutputFolder = "$env:TEMP\RBAC"
)

$ErrorActionPreference = 'Stop'
try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}
Import-Module Redden-TanREST -Force

# --- Load config
$ConfigPath = Join-Path $PSScriptRoot 'config.json'
if (-not (Test-Path $ConfigPath)) { throw "Configuration file not found: $ConfigPath" }
$config    = Get-Content -Path $ConfigPath -Raw | ConvertFrom-Json
$TaniumUrl = ($config.TaniumUrl -replace '^https?://','').TrimEnd('/')
$TaniumTok = $config.TaniumApiToken
if ([string]::IsNullOrWhiteSpace($TaniumUrl) -or [string]::IsNullOrWhiteSpace($TaniumTok)) {
  throw "Both TaniumUrl and TaniumApiToken must be provided in $ConfigPath."
}

# --- Prepare output
if (-not (Test-Path $OutputFolder)) { New-Item -ItemType Directory -Path $OutputFolder -Force | Out-Null }

# --- Temporary CLIXML for Initialize-TaniumSession
$TempXml = Join-Path $env:TEMP ("tanium-session-{0}.apicred" -f ([guid]::NewGuid().ToString('N')))
@{ baseURI = $TaniumUrl; token = ($TaniumTok | ConvertTo-SecureString -AsPlainText -Force) } |
  Export-Clixml -Path $TempXml -Force

Write-Host "Initializing Tanium session..."
try {
  Initialize-TaniumSession -PathToXML $TempXml | Out-Null
  Write-Host "Session OK."

  # ---------- GET roles starting with prefix ----------
  # Prefer server-side regex; fall back to client-side if module/endpoint refuses inline (?i)
  $regex = "(?i)^$([regex]::Escape($Prefix))"
  $roles = $null
  try { $roles = Get-Role -NameRegex $regex } catch { $roles = $null }
  if (-not $roles) {
    # fallback: pull all and filter locally
    $roles = Get-Role -All | Where-Object { $_.name -match $regex -or $_.Name -match $regex }
  }

  if (-not $roles) {
    Write-Warning "No roles found starting with '$Prefix'."
    return
  }

  # ---------- Export each role ----------
  $exported = @()
  foreach ($r in @($roles)) {
    $id   = if ($r.PSObject.Properties.Name -contains 'id')   { $r.id }   elseif ($r.PSObject.Properties.Name -contains 'ID') { $r.ID } else { $null }
    $name = if ($r.PSObject.Properties.Name -contains 'name') { $r.name } elseif ($r.PSObject.Properties.Name -contains 'Name') { $r.Name } else { $null }
    if (-not $name) { continue }

    try {
      Export-RoleToJSON -RoleName $name -OutputFolder $OutputFolder -SkipReInitialize:$true -ErrorAction Stop
      Write-Host ("✓ Exported: {0} (ID: {1})" -f $name, $id)
      $exported += [pscustomobject]@{ Id=$id; Name=$name }
    }
    catch {
      Write-Warning ("Export failed for role '{0}' (ID: {1}) — {2}" -f $name, $id, $_.Exception.Message)
    }
  }

  if ($exported) {
    Write-Host "`nSummary:"
    $exported | Sort-Object Name | Format-Table Id,Name -AutoSize
    Write-Host "`nJSON files in: $OutputFolder"
  }
}
finally {
  if (Test-Path $TempXml) {
    Remove-Item $TempXml -Force -ErrorAction SilentlyContinue
    Write-Host "Temporary CLIXML removed: $TempXml"
  }
}