# Complete setup for creating a distribution group and then the Transport Rule alongside it.
param(
    [Parameter(Mandatory=$false)]
    [string]$DistroGroupName = "GWStorageMonitoringUsers",

    [Parameter(Mandatory=$false)]
    [string]$RuleName = "Glasswall Attachment Processing Notice",

    [Parameter(Mandatory=$false)]
    [string]$Comments = "This rule adds a Glasswall processing notice banner to all inbound emails that include attachments for monitored email addresses.",

    # Mandatory in Standalone sets only
    [string]$ExchangeCertificatePath,

    [string]$ExchangeAppId,

    [string]$ExchangeOrganization,

    # Optional local/interactive login via UPN instead of cert
    [string]$UserPrincipalName,

    # Standalone switch â present in Halo, assumed Standalone if absent
    [switch]$Halo
)

if (-not $Halo)
{
    Write-Host("Starting Glasswall Outlook Banner synchronization...")

    if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
        Write-Warning "EXO module not found. Installing..."
        Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Force
    }

    if (-not (Get-Module -Name ExchangeOnlineManagement)) {
        Write-Verbose "Importing EXO module..."
        Import-Module ExchangeOnlineManagement
    }

    try {
        Get-OrganizationConfig -ErrorAction Stop | Out-Null
        Write-Host "Connected to Exchange Online" -ForegroundColor Green
    } catch {
        Write-Verbose "Not connected to Exchange Online. Initiating connection..."
        if ($UserPrincipalName) {
            Write-Host "Opening browser login for $UserPrincipalName..."
            Connect-ExchangeOnline -UserPrincipalName $UserPrincipalName `
                                -ShowBanner:$false
        } else {
            Write-Warning "No UserPrincipalName provided, falling back to certificate authentication. Please ensure certificate parameters are provided..."
            $parametersMissing = $false
            if (-not $ExchangeCertificatePath) { Write-Error "-ExchangeCertificatePath is required"; $parametersMissing = $true }
            if (-not $ExchangeAppId) { Write-Error "-ExchangeAppId is required"; $parametersMissing = $true }
            if (-not $ExchangeOrganization) { Write-Error "-ExchangeOrganization is required"; $parametersMissing = $true }

            if ($parametersMissing) {
                Write-Error "One or more Exchange parameters are missing - see previous errors. Alternatively, please provide a valid email login for UserPrincipalName"
                exit 1
            }

            Write-Host "Connecting to Exchange Online via certificate authentication..."
            Connect-ExchangeOnline -AppId $ExchangeAppId `
                                -CertificateFilePath $ExchangeCertificatePath `
                                -Organization $ExchangeOrganization `
                                -ShowBanner:$false
        }

        Write-Host "Connected to Exchange Online" -ForegroundColor Green
    }
}

$disclaimerText = @"
    <div style="background-color: #e9fffb; color: black; border: 1px solid #5dddc3; padding: 4px 12px; margin-bottom: 8px;">
        <strong>Attachments in this email have been scanned for security.</strong> Files that are safe to open will have <strong>"GW"</strong> at the start of their name.
        Use caution with any attachment that doesn't show this prefix. When in doubt, contact your IT Department.
        For more information, visit <a href="https://docs.glasswall.com/" style="color:#3333FF;">https://docs.glasswall.com/</a>.
    </div>
"@

try {
    $existingDistroGroup = Get-DistributionGroup -Identity $DistroGroupName -ErrorAction SilentlyContinue

    if ($null -eq $existingDistroGroup) {
        Write-Verbose "Info: No existing Distribution Group found, creating new Distribution Group..."
        New-DistributionGroup -Name $DistroGroupName -ErrorAction Stop
        $verifiedGroup = Get-DistributionGroup -Identity $DistroGroupName -ErrorAction Stop
        Write-Information "Success: Distribution Group $DistroGroupName created"
    } else {
        Write-Information "Info: Distribution Group already exists, continuing..."
        $verifiedGroup = $existingDistroGroup
    }


    $existingTransportRule = Get-TransportRule -Identity $RuleName -ErrorAction SilentlyContinue

    if ($null -eq $existingTransportRule) {
        Write-Verbose "Info: No existing Transport Rule found, creating new rule..."

        $maxAttempts = 5
        $attempt = 0
        $ruleCreated = $false

        while (-not $ruleCreated -and $attempt -lt $maxAttempts) {
            $attempt++
            Write-Information "Info: Attempting creation of transport rule, attempt $attempt of $maxAttempts"
            try {
                New-TransportRule -Name $RuleName -Comments $Comments  -SentToMemberOf $verifiedGroup.Identity -AttachmentSizeOver 1B -ApplyHtmlDisclaimerLocation Prepend -ApplyHtmlDisclaimerText $disclaimerText -ApplyHtmlDisclaimerFallbackAction Wrap -ErrorAction Stop
                $ruleCreated = $true
            } catch {
                Write-Warning "Attempt $attempt failed. Retrying..."
            }
        }

        if (-not $ruleCreated) {
            Write-Error "Failed to create transport rule after $maxAttempts attempts. Please try again."
            throw
        }

        Get-TransportRule -Identity $RuleName -ErrorAction Stop
        Write-Information "Success: Transport Rule $RuleName created for Distribution Group $DistroGroupName"
     } else {
        Write-Information "Info: Transport Rule with the same name already exists, skipping creation of Transport Rule..."
     }

     if (-not $Halo) { Write-Host "Glasswall Outlook Banner installation complete" -ForegroundColor Green }
} catch {
    Write-Error "Something went wrong when trying to create Distribution Group $DistroGroupName, or associated Transport Rule $RuleName. Please verify inputs are correct and try again."
}