# Controle de Acesso Web - Matuke Tecnologia
# Instalar / Alterar Profile / Desinstalar / Sair
# Rode como Administrador

$Host.UI.RawUI.WindowTitle = "Controle de Acesso Web - Matuke Tecnologia"

$msiUrl   = "https://nextdns.io/download/windows/stable.msi"
$fgTitle  = "Cyan"
$fgOK     = "Green"
$fgWarn   = "Yellow"
$fgErr    = "Red"
$width    = 60

# ====== BASE ======

function Ensure-Admin {
    $id  = [Security.Principal.WindowsIdentity]::GetCurrent()
    $pri = New-Object Security.Principal.WindowsPrincipal($id)
    if (-not $pri.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
        Write-Host "[!] Execute este script como Administrador." -ForegroundColor $fgWarn
        Read-Host "Pressione Enter para sair"
        exit 1
    }
}

function Header([string]$text) {
    Clear-Host
    $line = ('=' * $width)
    Write-Host $line -ForegroundColor $fgTitle
    $padLeft = [Math]::Max(0, [int](($width - $text.Length) / 2))
    $centered = (' ' * $padLeft) + $text
    Write-Host $centered -ForegroundColor $fgTitle
    Write-Host $line -ForegroundColor $fgTitle
    Write-Host ""
}

function Start-AndWait([string]$file, [string]$argsLine) {
    $p = Start-Process -FilePath $file -ArgumentList $argsLine -PassThru -WindowStyle Hidden
    $p.WaitForExit()
}

# Forca TLS 1.2 p/ Invoke-WebRequest
try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}

# ====== SENHA (SHA-256 de "SecureWeb") ======
# hash: 027df4722a8e702e06f826f3318ed6f7d3db21ea349e87e37083576bd96f76a5
$HashCorreto = "027df4722a8e702e06f826f3318ed6f7d3db21ea349e87e37083576bd96f76a5"

function Get-PlainFromSecure([SecureString]$Secure) {
    $ptr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Secure)
    try   { [Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr) }
    finally { [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr) }
}

function Get-Hash256([string]$text) {
    $sha = [System.Security.Cryptography.SHA256]::Create()
    $bytes = [Text.Encoding]::UTF8.GetBytes($text)
    ($sha.ComputeHash($bytes) | ForEach-Object ToString x2) -join ''
}

function Password-Gate {
    Header "Controle de Acesso Web - Matuke Tecnologia"
    $secure = Read-Host "Digite a senha de acesso" -AsSecureString
    $plain  = Get-PlainFromSecure $secure
    $hash   = (Get-Hash256 $plain).ToLower()
    if ($hash -ne $HashCorreto) {
        Write-Host "Senha incorreta. Encerrando..." -ForegroundColor $fgErr
        Start-Sleep 2
        exit 1
    }
    Write-Host "Acesso autorizado." -ForegroundColor $fgOK
    Start-Sleep 1
}

# ====== VALIDACAO DE NOME DO COMPUTADOR ======

function Test-ComputerNameValid([string]$Name) {
    if ([string]::IsNullOrWhiteSpace($Name)) { return $false }
    if ($Name.Length -gt 15) { return $false }
    if ($Name -notmatch '^[A-Za-z0-9-]+$') { return $false }
    if ($Name.StartsWith('-') -or $Name.EndsWith('-')) { return $false }
    if ($Name -match '^\d+$') { return $false }
    $reserved = @('CON','PRN','AUX','NUL','COM1','COM2','COM3','COM4','COM5','COM6','COM7','COM8','COM9','LPT1','LPT2','LPT3','LPT4','LPT5','LPT6','LPT7','LPT8','LPT9')
    if ($reserved -contains $Name.ToUpper()) { return $false }
    return $true
}

function Explain-NameRules {
    Write-Host "Nome invalido. Regras:" -ForegroundColor $fgErr
    Write-Host " - 1 a 15 caracteres" -ForegroundColor $fgWarn
    Write-Host " - Permitido: letras (A-Z), numeros (0-9) e hifen (-)" -ForegroundColor $fgWarn
    Write-Host " - Nao pode comecar nem terminar com hifen" -ForegroundColor $fgWarn
    Write-Host " - Nao pode ser apenas numeros" -ForegroundColor $fgWarn
    Write-Host " - Sem espacos ou outros simbolos" -ForegroundColor $fgWarn
}

# ====== OPERACOES ======

function Instalar {
    Header "Instalacao - Controle de Acesso Web"
    $precisaReiniciar = $false

    # 1) Mostrar nome atual e (opcional) renomear
    $nomeAtual = $env:COMPUTERNAME
    Write-Host "Nome atual do computador: $nomeAtual" -ForegroundColor $fgWarn
    $resp = Read-Host "Deseja alterar o nome da maquina? (S/N)"
    if ($resp -match '^(s|S|sim|SIM)$') {
        while ($true) {
            $novoNome = Read-Host "Digite o novo nome do computador (ENTER cancela)"
            if ([string]::IsNullOrWhiteSpace($novoNome)) {
                Write-Host "Renomeacao cancelada." -ForegroundColor $fgWarn
                break
            }
            if (Test-ComputerNameValid $novoNome) {
                Write-Host "Executando renomeacao..." -ForegroundColor $fgOK
                Rename-Computer -NewName $novoNome -Force
                Start-Sleep 5
                Write-Host "concluido!" -ForegroundColor $fgOK
                Start-Sleep 3
                $precisaReiniciar = $true
                break
            } else {
                Explain-NameRules
                Start-Sleep 2
            }
        }
    }

    # 2) Perguntar profile (ENTER usa padrao 229737)
    $profile = Read-Host "Informe o Profile (pressione ENTER para usar o padrao 229737)"
    if ([string]::IsNullOrWhiteSpace($profile)) {
        $profile = "229737"
        Write-Host "Usando profile padrao: $profile" -ForegroundColor $fgWarn
    }

    # 3) Instalar
    Write-Host "Executando..." -ForegroundColor $fgOK
    Start-AndWait "msiexec.exe" "/qn /i $msiUrl PROFILE=$profile UI=0 ARP=0"
    Start-Sleep 10

    # 4) Baixar e instalar certificado
    Invoke-WebRequest -Uri "https://nextdns.io/ca" -OutFile "$env:TEMP\nextdns.cer"
    Start-Sleep 3
    certutil -addstore -f root "$env:TEMP\nextdns.cer"
    Start-Sleep 10

    Write-Host "concluido!" -ForegroundColor $fgOK
    Start-Sleep 3

    # 5) Reiniciar somente se renomeou
    if ($precisaReiniciar) {
        Write-Host "AVISO: O computador sera reiniciado agora para aplicar o novo nome." -ForegroundColor $fgWarn
        Start-Sleep 5
        Restart-Computer -Force
    }
}

function Alterar-Profile {
    Header "Alterar Profile - Controle de Acesso Web"
    $profile = Read-Host "Informe o NOVO Profile (apenas ID, ex.: 229737)"
    if ([string]::IsNullOrWhiteSpace($profile)) {
        Write-Host "Operacao cancelada: Profile nao informado." -ForegroundColor $fgWarn
        Start-Sleep 1
        return
    }
    Write-Host -NoNewline "Executando..." -ForegroundColor $fgOK
    Start-AndWait "msiexec.exe" "/qn /i $msiUrl PROFILE=$profile UI=0 ARP=0"
    Start-Sleep 10
    Write-Host " concluido!" -ForegroundColor $fgOK
    Start-Sleep 3
    Write-Host ""
}

function Desinstalar {
    Header "Desinstalar - Controle de Acesso Web"
    $profileFixed = "229737"
    $uninstaller  = "C:\Program Files (x86)\NextDNS\Uninstall.exe"
    $installDir   = "C:\Program Files (x86)\NextDNS"

    Write-Host -NoNewline "Executando..." -ForegroundColor $fgOK

    # 1) msiexec com ARP=1
    Start-AndWait "msiexec.exe" "/qn /i $msiUrl PROFILE=$profileFixed UI=0 ARP=1"
    Start-Sleep 40

    # 2) Uninstall.exe /S
    if (Test-Path $uninstaller) {
        Start-AndWait $uninstaller "/S"
    }
    Start-Sleep 30

    # 3) Remover pasta de instalacao
    try {
        Stop-Service -Name "NextDNS" -ErrorAction SilentlyContinue
        if (Test-Path $installDir) {
            Remove-Item $installDir -Recurse -Force -ErrorAction SilentlyContinue
        }
    } catch { }

    Write-Host " concluido!" -ForegroundColor $fgOK
    Start-Sleep 3
    Write-Host ""
}

function Menu {
    Header "Controle de Acesso Web - Matuke Tecnologia"
    Write-Host " 1 - Instalar"
    Write-Host " 2 - Alterar Profile"
    Write-Host " 3 - Desinstalar"
    Write-Host " 4 - Sair"
    Write-Host ""
}

# ====== FLUXO ======
Ensure-Admin
Password-Gate

while ($true) {
    Menu
    $opt = Read-Host "Escolha uma opcao (1-4)"
    switch ($opt) {
        "1" { Instalar }
        "2" { Alterar-Profile }
        "3" { Desinstalar }
        "4" {
            Header "Controle de Acesso Web - Matuke Tecnologia"
            Write-Host "Encerrado." -ForegroundColor $fgOK
            return
        }
        default {
            Write-Host "Opcao invalida." -ForegroundColor $fgWarn
            Start-Sleep 1
        }
    }
}