<#
.SYNOPSIS
	This script adds the All Authenticated User to the data in RecordPoint for environments with trusted identity providers
.DESCRIPTION
	It supports Adding and Removing the security settings from the Site specified
.NOTES
This example script was prepared by RecordPoint Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE. 
.PARAMETER RecordPointSiteUrl
The url of the RecordPoint Site
This parameter is mandatory
.PARAMETER Operation
When Add, the permissions are added
When Remove, the permissions are removed
Defaults to true
#>

param (
    [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()]$RecordPointSiteUrl,
    [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][ValidateSet("Add", "Remove")][string]$Operation
)

Set-StrictMode -Version Latest 

Add-PsSnapin microsoft.sharepoint.powershell -ErrorAction SilentlyContinue  

#The data in RecordPoint to change

$LIST_TRANSFER = "RecordPoint Transfer Batch Numbers"
$LIST_REQUESTS = "RecordPoint Requests"
$LIST_DELETEREQUESTS = "RecordPoint Delete Requests"
$LIST_RECORDPOINTUSERSTORAGE = "RecordPointUserStorage"
$LIST_PAGES = "Pages"

function ValidateTrustedIdentityProviderSite($site)
{
    try
    {
        $result = $site.WebApplication.GetIisSettingsWithFallback($site.Zone)
        if($result)
        {
            $firstClaimProvider = $result.ClaimsAuthenticationProviders[0]
            if($firstClaimProvider.GetType().Name -ne "SPTrustedAuthenticationProvider")
            {
                throw "The Claim Provider [" + $firstClaimProvider.DisplayName + "] is not a trusted identity provider"
            }     
            return $firstClaimProvider.DisplayName;   
        }
    }
    catch
    {
        Write-Host $Error[0]
        exit 1
    }
}

function GetUser($rpSite, $userName)
{
    try
    {
        foreach($user in $rpSite.RootWeb.AllUsers)
        {
            if($user.Name -eq $userName)
            {
                return $user
            }
        }
        throw "The User [$userName] was not found in Site [$url]"
    }
    catch
    {
        Write-Host $Error[0]
        exit 1
    }
}

function GetRoleAssignment($roleAssignments, $userName)
{
    try
    {
        foreach($roleAssignment in $roleAssignments)
        {
            if($roleAssignment.Member.Name -eq $userName)
            {
                return $roleAssignment
            }
        }
        return $null
    }
    catch
    {
        Write-Host $Error[0]
        exit 1
    }
}

function GetRoleDefinition($rpSite, $roleName)
{
    return $rpSite.RootWeb.RoleDefinitions.Item($roleName)
}

function AddListPermissions($list, $roleAssignment, $displayName)
{
    $list.RoleAssignments.Add($roleAssignment)
    Write-Host ("Added Role [$displayName] to List [" + $list.Title + "]")
}

function AddListItemPermissions($list, $roleAssignment, $displayName)
{
    foreach($item in $list.Items)
    {
        $item.RoleAssignments.Add($roleAssignment)
        Write-Host ("Added Role [$displayName] to Item [" + $item.Title + "]")
    }
}

function RemoveListPermissions($list, $userName)
{
    $roleAssignment = GetRoleAssignment $list.RoleAssignments $userName
    if($roleAssignment -ne $null)
    {
        $list.RoleAssignments.RemoveById($roleAssignment.Member.ID)
        Write-Host ("Removed Role [$userName] from List [" + $list.Title + "]")
    }
    else
    {
        Write-Host ("The Role [$userName] was not found on List [" + $list.Title + "]")
    }
}

function RemoveListItemPermissions($list, $userName)
{
    foreach($item in $list.Items)
    {
        $roleAssignment = GetRoleAssignment $item.RoleAssignments $userName
        if($roleAssignment -ne $null)
        {
            $item.RoleAssignments.RemoveById($roleAssignment.Member.ID)
            Write-Host ("Removed Role [$userName] from List [" + $item.Title + "]")
        }
        else
        {
            Write-Host ("The Role [$userName] was not found on List [" + $item.Title + "]")
        }
    }
}

$rpSite = Get-SPSite $RecordPointSiteUrl -ErrorAction Stop
$providerName = ValidateTrustedIdentityProviderSite $rpSite
$providerNameLower = $providerName.ToLower()

# How to decode the magic encoded claim below:
# http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx 
$encodedClaim = "c:0!.s|trusted%3a" + $providerNameLower
$displayName = "All Users (" + $providerName + ")"

#$user = GetUser $rpSite $displayName
#$ap = Get-SPTrustedIdentityTokenIssuer
#$claim = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $ap -Identity $displayName
$user = New-SPClaimsPrincipal -EncodedClaim $encodedClaim

#$claim = [Microsoft.SharePoint.Administration.Claims.SPAllUserClaimProvider]::CreateAuthenticatedUserClaim($true)

$roleDefRead = GetRoleDefinition $rpSite "Read"
$roleDefContribute = GetRoleDefinition $rpSite "Contribute"

if($Operation -ne "Remove")
{
    #$roleAss = New-Object 'Microsoft.SharePoint.SPRoleAssignment' $user 
    $roleAss = New-Object 'Microsoft.SharePoint.SPRoleAssignment' $user.ToEncodedString(), "", $displayName, "" 
    $roleAss.RoleDefinitionBindings.Add($roleDefContribute)
    AddListPermissions $rpSite.RootWeb.Lists.Item($LIST_RECORDPOINTUSERSTORAGE) $roleAss $displayName
    $roleAss = New-Object 'Microsoft.SharePoint.SPRoleAssignment' $user.ToEncodedString(), "", $displayName, "" 
    $roleAss.RoleDefinitionBindings.Add($roleDefRead)
    AddListPermissions $rpSite.RootWeb.Lists.Item($LIST_REQUESTS) $roleAss $displayName

    # The delete request list may not exist if the "Delete Request Processing Infrastructure" component hasn't been enabled in CA
    $deleteRequestsList = $rpSite.RootWeb.Lists.TryGetList($LIST_DELETEREQUESTS)
    if ($deleteRequestsList -ne $null)
    {
        AddListPermissions $rpSite.RootWeb.Lists.Item($LIST_DELETEREQUESTS) $roleAss $displayName
    }

    AddListPermissions $rpSite.RootWeb.Lists.Item($LIST_TRANSFER) $roleAss $displayName
    AddListItemPermissions $rpSite.RootWeb.Lists.Item($LIST_PAGES) $roleAss $displayName
}
else
{
    RemoveListPermissions $rpSite.RootWeb.Lists.Item($LIST_RECORDPOINTUSERSTORAGE) $displayName
    RemoveListPermissions $rpSite.RootWeb.Lists.Item($LIST_REQUESTS) $displayName

    # The delete request list may not exist if the "Delete Request Processing Infrastructure" component hasn't been enabled in CA
    $deleteRequestsList = $rpSite.RootWeb.Lists.TryGetList($LIST_DELETEREQUESTS)
    if ($deleteRequestsList -ne $null)
    {
        RemoveListPermissions $rpSite.RootWeb.Lists.Item($LIST_DELETEREQUESTS) $displayName
    }

    RemoveListPermissions $rpSite.RootWeb.Lists.Item($LIST_TRANSFER) $displayName
    RemoveListItemPermissions $rpSite.RootWeb.Lists.Item($LIST_PAGES) $displayName
}