[CmdletBinding()]
param()

$ErrorActionPreference = "Stop"

Add-Type -AssemblyName System.Windows.Forms
Add-Type -AssemblyName System.Drawing

$script:RootPath = Split-Path -Parent (Split-Path -Parent $MyInvocation.MyCommand.Path)
$script:RootCertificatePath = Join-Path $script:RootPath "assets\certificates\MrSphay-LocalTrust-Root.cer"
$script:PublisherCertificatePath = Join-Path $script:RootPath "assets\certificates\MrSphay-CodeSigning.cer"
$script:IconPath = Join-Path $script:RootPath "assets\MrTrust.ico"

function Test-IsAdministrator {
    $identity = [Security.Principal.WindowsIdentity]::GetCurrent()
    $principal = [Security.Principal.WindowsPrincipal]::new($identity)
    $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}

function Get-MrTrustCertificate {
    param([Parameter(Mandatory)][string]$Path)

    if (-not (Test-Path -LiteralPath $Path)) {
        throw "Certificate file not found: $Path"
    }

    [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($Path)
}

function Get-TrustScope {
    if ($script:AllUsersCheckBox.Checked) {
        "LocalMachine"
    }
    else {
        "CurrentUser"
    }
}

function Get-StorePath {
    param(
        [Parameter(Mandatory)][string]$Scope,
        [Parameter(Mandatory)][string]$Store
    )

    "Cert:\$Scope\$Store"
}

function Test-CertificateInstalled {
    param(
        [Parameter(Mandatory)]$Certificate,
        [Parameter(Mandatory)][string]$Scope,
        [Parameter(Mandatory)][string]$Store
    )

    $storePath = Get-StorePath -Scope $Scope -Store $Store
    @(Get-ChildItem -Path $storePath | Where-Object Thumbprint -eq $Certificate.Thumbprint).Count -gt 0
}

function Set-StatusText {
    param([Parameter(Mandatory)][string]$Text)

    $script:StatusLabel.Text = $Text
}

function Refresh-MrTrustStatus {
    try {
        $rootCertificate = Get-MrTrustCertificate -Path $script:RootCertificatePath
        $publisherCertificate = Get-MrTrustCertificate -Path $script:PublisherCertificatePath
        $scope = Get-TrustScope

        $rootInstalled = Test-CertificateInstalled -Certificate $rootCertificate -Scope $scope -Store "Root"
        $publisherInstalled = Test-CertificateInstalled -Certificate $publisherCertificate -Scope $scope -Store "TrustedPublisher"

        $script:RootThumbprintLabel.Text = $rootCertificate.Thumbprint
        $script:PublisherThumbprintLabel.Text = $publisherCertificate.Thumbprint
        $script:ExpiryLabel.Text = $rootCertificate.NotAfter.ToString("yyyy-MM-dd")

        if ($rootInstalled -and $publisherInstalled) {
            Set-StatusText "Trusted"
            $script:StatusPill.BackColor = [Drawing.Color]::FromArgb(28, 185, 111)
        }
        else {
            Set-StatusText "Not installed"
            $script:StatusPill.BackColor = [Drawing.Color]::FromArgb(242, 153, 74)
        }
    }
    catch {
        Set-StatusText $_.Exception.Message
        $script:StatusPill.BackColor = [Drawing.Color]::FromArgb(235, 87, 87)
    }
}

function Install-MrTrustCertificates {
    $scope = Get-TrustScope
    if ($scope -eq "LocalMachine" -and -not (Test-IsAdministrator)) {
        [Windows.Forms.MessageBox]::Show(
            "All-users trust requires running PowerShell as Administrator.",
            "MrTrust",
            [Windows.Forms.MessageBoxButtons]::OK,
            [Windows.Forms.MessageBoxIcon]::Warning
        ) | Out-Null
        return
    }

    $rootCertificate = Get-MrTrustCertificate -Path $script:RootCertificatePath
    $publisherCertificate = Get-MrTrustCertificate -Path $script:PublisherCertificatePath

    $message = "Install MrSphay trust for $scope?`r`n`r`nRoot:`r`n$($rootCertificate.Thumbprint)`r`n`r`nPublisher:`r`n$($publisherCertificate.Thumbprint)`r`n`r`nOnly continue if you trust software signed by MrSphay."
    $result = [Windows.Forms.MessageBox]::Show(
        $message,
        "Install MrTrust",
        [Windows.Forms.MessageBoxButtons]::YesNo,
        [Windows.Forms.MessageBoxIcon]::Warning
    )

    if ($result -ne [Windows.Forms.DialogResult]::Yes) {
        return
    }

    Import-Certificate -FilePath $script:RootCertificatePath -CertStoreLocation (Get-StorePath -Scope $scope -Store "Root") | Out-Null
    Import-Certificate -FilePath $script:PublisherCertificatePath -CertStoreLocation (Get-StorePath -Scope $scope -Store "TrustedPublisher") | Out-Null
    Refresh-MrTrustStatus
}

function Remove-MrTrustCertificates {
    $scope = Get-TrustScope
    if ($scope -eq "LocalMachine" -and -not (Test-IsAdministrator)) {
        [Windows.Forms.MessageBox]::Show(
            "All-users removal requires running PowerShell as Administrator.",
            "MrTrust",
            [Windows.Forms.MessageBoxButtons]::OK,
            [Windows.Forms.MessageBoxIcon]::Warning
        ) | Out-Null
        return
    }

    $rootCertificate = Get-MrTrustCertificate -Path $script:RootCertificatePath
    $publisherCertificate = Get-MrTrustCertificate -Path $script:PublisherCertificatePath
    $result = [Windows.Forms.MessageBox]::Show(
        "Remove MrSphay trust for $scope?",
        "Remove MrTrust",
        [Windows.Forms.MessageBoxButtons]::YesNo,
        [Windows.Forms.MessageBoxIcon]::Question
    )

    if ($result -ne [Windows.Forms.DialogResult]::Yes) {
        return
    }

    $targets = @(
        [pscustomobject]@{ Store = "Root"; Thumbprint = $rootCertificate.Thumbprint },
        [pscustomobject]@{ Store = "TrustedPublisher"; Thumbprint = $publisherCertificate.Thumbprint }
    )

    foreach ($target in $targets) {
        $storePath = Get-StorePath -Scope $scope -Store $target.Store
        Get-ChildItem -Path $storePath |
            Where-Object Thumbprint -eq $target.Thumbprint |
            Remove-Item
    }

    Refresh-MrTrustStatus
}

[Windows.Forms.Application]::EnableVisualStyles()

$form = [Windows.Forms.Form]::new()
$form.Text = "MrTrust"
$form.StartPosition = "CenterScreen"
$form.ClientSize = [Drawing.Size]::new(900, 560)
$form.MinimumSize = [Drawing.Size]::new(860, 540)
$form.BackColor = [Drawing.Color]::FromArgb(22, 26, 29)
$form.Font = [Drawing.Font]::new("Segoe UI", 10)
if (Test-Path -LiteralPath $script:IconPath) {
    $form.Icon = [Drawing.Icon]::new($script:IconPath)
}

$header = [Windows.Forms.Panel]::new()
$header.Dock = "Top"
$header.Height = 124
$header.BackColor = [Drawing.Color]::FromArgb(27, 32, 35)
$form.Controls.Add($header)

$accent = [Windows.Forms.Panel]::new()
$accent.Dock = "Left"
$accent.Width = 8
$accent.BackColor = [Drawing.Color]::FromArgb(28, 185, 111)
$header.Controls.Add($accent)

$logoBox = [Windows.Forms.PictureBox]::new()
$logoBox.Size = [Drawing.Size]::new(44, 44)
$logoBox.Location = [Drawing.Point]::new(34, 30)
$logoBox.SizeMode = "StretchImage"
if (Test-Path -LiteralPath $script:IconPath) {
    $logoBox.Image = [Drawing.Icon]::new($script:IconPath).ToBitmap()
}
$header.Controls.Add($logoBox)

$title = [Windows.Forms.Label]::new()
$title.Text = "MrTrust"
$title.ForeColor = [Drawing.Color]::White
$title.Font = [Drawing.Font]::new("Segoe UI", 24, [Drawing.FontStyle]::Bold)
$title.AutoSize = $true
$title.Location = [Drawing.Point]::new(92, 24)
$header.Controls.Add($title)

$subtitle = [Windows.Forms.Label]::new()
$subtitle.Text = "Trust setup for MrSphay signed Windows apps"
$subtitle.ForeColor = [Drawing.Color]::FromArgb(177, 190, 183)
$subtitle.AutoSize = $true
$subtitle.Location = [Drawing.Point]::new(96, 74)
$header.Controls.Add($subtitle)

$statusText = [Windows.Forms.Label]::new()
$statusText.Text = "Status"
$statusText.ForeColor = [Drawing.Color]::FromArgb(177, 190, 183)
$statusText.AutoSize = $true
$statusText.Location = [Drawing.Point]::new(646, 32)
$header.Controls.Add($statusText)

$script:StatusPill = [Windows.Forms.Panel]::new()
$script:StatusPill.Size = [Drawing.Size]::new(16, 16)
$script:StatusPill.Location = [Drawing.Point]::new(646, 62)
$script:StatusPill.BackColor = [Drawing.Color]::FromArgb(242, 153, 74)
$header.Controls.Add($script:StatusPill)

$script:StatusLabel = [Windows.Forms.Label]::new()
$script:StatusLabel.Text = "Checking..."
$script:StatusLabel.ForeColor = [Drawing.Color]::FromArgb(225, 231, 227)
$script:StatusLabel.AutoSize = $false
$script:StatusLabel.AutoEllipsis = $true
$script:StatusLabel.Location = [Drawing.Point]::new(674, 57)
$script:StatusLabel.Size = [Drawing.Size]::new(190, 28)
$header.Controls.Add($script:StatusLabel)

$content = [Windows.Forms.Panel]::new()
$content.Dock = "Fill"
$content.Padding = [Windows.Forms.Padding]::new(30)
$content.BackColor = [Drawing.Color]::FromArgb(22, 26, 29)
$form.Controls.Add($content)

$infoPanel = [Windows.Forms.Panel]::new()
$infoPanel.BackColor = [Drawing.Color]::FromArgb(31, 37, 40)
$infoPanel.Size = [Drawing.Size]::new(820, 226)
$infoPanel.Location = [Drawing.Point]::new(40, 34)
$content.Controls.Add($infoPanel)

$scopeLabel = [Windows.Forms.Label]::new()
$scopeLabel.Text = "Scope"
$scopeLabel.ForeColor = [Drawing.Color]::FromArgb(177, 190, 183)
$scopeLabel.Location = [Drawing.Point]::new(24, 24)
$scopeLabel.AutoSize = $true
$infoPanel.Controls.Add($scopeLabel)

$script:AllUsersCheckBox = [Windows.Forms.CheckBox]::new()
$script:AllUsersCheckBox.Text = "Install for all users (requires Administrator)"
$script:AllUsersCheckBox.ForeColor = [Drawing.Color]::FromArgb(225, 231, 227)
$script:AllUsersCheckBox.Location = [Drawing.Point]::new(24, 50)
$script:AllUsersCheckBox.AutoSize = $true
$script:AllUsersCheckBox.FlatStyle = "Flat"
$script:AllUsersCheckBox.Add_CheckedChanged({ Refresh-MrTrustStatus })
$infoPanel.Controls.Add($script:AllUsersCheckBox)

$rootLabel = [Windows.Forms.Label]::new()
$rootLabel.Text = "Root thumbprint"
$rootLabel.ForeColor = [Drawing.Color]::FromArgb(177, 190, 183)
$rootLabel.Location = [Drawing.Point]::new(24, 92)
$rootLabel.AutoSize = $true
$infoPanel.Controls.Add($rootLabel)

$script:RootThumbprintLabel = [Windows.Forms.Label]::new()
$script:RootThumbprintLabel.Text = "-"
$script:RootThumbprintLabel.ForeColor = [Drawing.Color]::FromArgb(225, 231, 227)
$script:RootThumbprintLabel.Font = [Drawing.Font]::new("Consolas", 9)
$script:RootThumbprintLabel.Location = [Drawing.Point]::new(180, 92)
$script:RootThumbprintLabel.AutoSize = $true
$infoPanel.Controls.Add($script:RootThumbprintLabel)

$publisherLabel = [Windows.Forms.Label]::new()
$publisherLabel.Text = "Publisher thumbprint"
$publisherLabel.ForeColor = [Drawing.Color]::FromArgb(177, 190, 183)
$publisherLabel.Location = [Drawing.Point]::new(24, 128)
$publisherLabel.AutoSize = $true
$infoPanel.Controls.Add($publisherLabel)

$script:PublisherThumbprintLabel = [Windows.Forms.Label]::new()
$script:PublisherThumbprintLabel.Text = "-"
$script:PublisherThumbprintLabel.ForeColor = [Drawing.Color]::FromArgb(225, 231, 227)
$script:PublisherThumbprintLabel.Font = [Drawing.Font]::new("Consolas", 9)
$script:PublisherThumbprintLabel.Location = [Drawing.Point]::new(180, 128)
$script:PublisherThumbprintLabel.AutoSize = $true
$infoPanel.Controls.Add($script:PublisherThumbprintLabel)

$expiryLabelTitle = [Windows.Forms.Label]::new()
$expiryLabelTitle.Text = "Expires"
$expiryLabelTitle.ForeColor = [Drawing.Color]::FromArgb(177, 190, 183)
$expiryLabelTitle.Location = [Drawing.Point]::new(24, 164)
$expiryLabelTitle.AutoSize = $true
$infoPanel.Controls.Add($expiryLabelTitle)

$script:ExpiryLabel = [Windows.Forms.Label]::new()
$script:ExpiryLabel.Text = "-"
$script:ExpiryLabel.ForeColor = [Drawing.Color]::FromArgb(225, 231, 227)
$script:ExpiryLabel.Location = [Drawing.Point]::new(180, 164)
$script:ExpiryLabel.AutoSize = $true
$infoPanel.Controls.Add($script:ExpiryLabel)

$installButton = [Windows.Forms.Button]::new()
$installButton.Text = "Install trust"
$installButton.BackColor = [Drawing.Color]::FromArgb(28, 185, 111)
$installButton.ForeColor = [Drawing.Color]::White
$installButton.FlatStyle = "Flat"
$installButton.Size = [Drawing.Size]::new(180, 46)
$installButton.Location = [Drawing.Point]::new(40, 292)
$installButton.Add_Click({ Install-MrTrustCertificates })
$content.Controls.Add($installButton)

$removeButton = [Windows.Forms.Button]::new()
$removeButton.Text = "Remove trust"
$removeButton.BackColor = [Drawing.Color]::FromArgb(44, 52, 56)
$removeButton.ForeColor = [Drawing.Color]::FromArgb(225, 231, 227)
$removeButton.FlatStyle = "Flat"
$removeButton.Size = [Drawing.Size]::new(180, 46)
$removeButton.Location = [Drawing.Point]::new(240, 292)
$removeButton.Add_Click({ Remove-MrTrustCertificates })
$content.Controls.Add($removeButton)

$refreshButton = [Windows.Forms.Button]::new()
$refreshButton.Text = "Refresh"
$refreshButton.BackColor = [Drawing.Color]::FromArgb(44, 52, 56)
$refreshButton.ForeColor = [Drawing.Color]::FromArgb(225, 231, 227)
$refreshButton.FlatStyle = "Flat"
$refreshButton.Size = [Drawing.Size]::new(140, 46)
$refreshButton.Location = [Drawing.Point]::new(440, 292)
$refreshButton.Add_Click({ Refresh-MrTrustStatus })
$content.Controls.Add($refreshButton)

$note = [Windows.Forms.Label]::new()
$note.Text = "MrTrust installs public certificates only. It does not disable Defender, SmartScreen, UAC, or enterprise policies."
$note.ForeColor = [Drawing.Color]::FromArgb(177, 190, 183)
$note.Location = [Drawing.Point]::new(40, 376)
$note.Size = [Drawing.Size]::new(820, 48)
$content.Controls.Add($note)

$form.Add_Shown({ Refresh-MrTrustStatus })
[Windows.Forms.Application]::Run($form)