param(
    [Parameter(Mandatory=$true)]
    [string]$InputFile
)

# Read input JSON
try {
    $json = Get-Content -Raw -Path $InputFile -ErrorAction Stop
    $payload = $json | ConvertFrom-Json
} catch {
    $err = $_.Exception.Message
    Write-Output (@{ success = $false; message = "Failed to read/parse input JSON: $err" } | ConvertTo-Json -Compress)
    exit 1
}

# Default result
$actor = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$result = @{ success = $false; message = "Unspecified error"; actor = $actor }

# Validate
if (-not $payload.samaccountname -or -not $payload.password) {
    $result.message = "Required fields: samaccountname and password"
    Write-Output ($result | ConvertTo-Json -Compress)
    exit 1
}

# Convert to strings
$sam = [string]$payload.samaccountname
$display = [string]($payload.displayname)
$mail = [string]($payload.mail)
$pass = [string]$payload.password
$ou = [string]($payload.ou)
$groups = [string]($payload.groups)
$dryRun = [bool]($payload.dry_run -as [bool])
# Password hint and validation helper (German)
$passwordHint = @"
Das sollten die Anforderungen an das Passwort sein:

- mindestens 7 Zeichen
- darf den Benutzer-/Accountnamen nicht enthalten (bzw. keine zu großen Teile davon)
- muss Zeichen aus mindestens 3 von 4 Kategorien enthalten:
  1) Großbuchstaben (A–Z)
  2) Kleinbuchstaben (a–z)
  3) Ziffern (0–9)
  4) Sonderzeichen (alles, was kein Buchstabe/Zahl ist, z. B. ! ? # _ - . , usw.)
"@

function Test-PasswordRequirements {
    param(
        [string]$Password,
        [string]$SamAccountName
    )

    $errors = @()

    if ([string]::IsNullOrEmpty($Password) -or $Password.Length -lt 7) {
        $errors += 'Passwort muss mindestens 7 Zeichen lang sein.'
    }

    $categories = 0
    if ($Password -match '[A-Z]') { $categories++ }
    if ($Password -match '[a-z]') { $categories++ }
    if ($Password -match '\d') { $categories++ }
    if ($Password -match '[^A-Za-z0-9]') { $categories++ }
    if ($categories -lt 3) {
        $errors += 'Passwort muss Zeichen aus mindestens 3 von 4 Kategorien enthalten (Groß, Klein, Ziffern, Sonderzeichen).'
    }

    if (-not [string]::IsNullOrEmpty($SamAccountName)) {
        $pwLower = $Password.ToLowerInvariant()
        $samLower = $SamAccountName.ToLowerInvariant()

        if ($pwLower -like "*${samLower}*") {
            $errors += 'Passwort darf den Benutzernamen nicht enthalten.'
        } else {
            $minLen = 4
            if ($samLower.Length -ge $minLen) {
                for ($len = $minLen; $len -le $samLower.Length; $len++) {
                    for ($start = 0; $start -le $samLower.Length - $len; $start++) {
                        $sub = $samLower.Substring($start, $len)
                        if ($pwLower -like "*${sub}*") {
                            $errors += 'Passwort darf keine größeren Teile des Benutzernamens enthalten.'
                            break 2
                        }
                    }
                }
            }
        }
    }

    return $errors
}
# Ensure ActiveDirectory module available
try {
    Import-Module ActiveDirectory -ErrorAction Stop
} catch {
    $result.message = "ActiveDirectory PowerShell module not available: $($_.Exception.Message)"
    Write-Output ($result | ConvertTo-Json -Compress)
    exit 1
}

# Build New-ADUser parameters
$props = @{
    Name = if ($display -and $display -ne '') { $display } else { $sam }
    SamAccountName = $sam
    Enabled = $true
}

if ($mail -and $mail -ne '') { $props['EmailAddress'] = $mail }
if ($ou -and $ou -ne '') { $props['Path'] = $ou }

# Validate password before continuing
$pwErrors = Test-PasswordRequirements -Password $pass -SamAccountName $sam
if ($pwErrors.Count -gt 0) {
    $result.message = 'Invalid password: ' + ($pwErrors -join ' | ')
    $result.hint = $passwordHint
    Write-Output ($result | ConvertTo-Json -Compress)
    exit 1
}

# Build secure password
$securePass = ConvertTo-SecureString $pass -AsPlainText -Force
$props['AccountPassword'] = $securePass

# Execute
if ($dryRun) {
    $result.success = $true
    $result.message = "DRY RUN: would create user $($sam)"
    Write-Output ($result | ConvertTo-Json -Compress)
    exit 0
}

try {
    # Create the AD user
    New-ADUser @props -ErrorAction Stop

    # Add to groups, if provided
    if ($groups -and $groups -ne '') {
        $groupList = $groups -split ',' | ForEach-Object { $_.Trim() } | Where-Object { $_ -ne '' }
        foreach ($g in $groupList) {
            Add-ADGroupMember -Identity $g -Members $sam -ErrorAction Stop
        }
    }

    $result.success = $true
    $result.message = "User $($sam) created successfully"
    Write-Output ($result | ConvertTo-Json -Compress)
    exit 0
} catch {
    $result.message = "Error creating user $($sam): $($_.Exception.Message)"
    Write-Output ($result | ConvertTo-Json -Compress)
    exit 1
}