## p4remove-user
## aaron bockelie

<#
	.SYNOPSIS
	Removes a user from a perforce server, and removes the user from the primary auth group of the server.
	.DESCRIPTION
	This function simplifies removing a user from the auth group and perforce group, and removes the user object from perforce. If there are files checked out by the user, the function will not remove if user.
	The user object is NEVER deleted from Active Directory.
	.EXAMPLE
	This command removes a user.
	[PS] p4remove-user amanda.dunkle

	Name                           Type            DN
	----                           ----            --
	p4infosys                      group           CN=p4infosys,OU=p4infosys,OU=Depots,OU=Perforce,OU=Crowd,OU=Security ...
	Group p4infosys updated.
	Dunkle, Amanda               user            CN=Dunkle\, Amanda,OU=IT,OU=Users,OU=SiteName,DC=company,DC=com
	User amanda.dunkle deleted.
	
	.PARAMETER userobject
	The user requested to be removed from the depot.
	.FUNCTIONALITY
	Use this function to automate removing users from a depot group.
#>

Function p4remove-user
{param([Parameter(Mandatory = $true)][array]$users,[switch]$tryrevert,[switch]$silent)#begin function p4remove-user

$result = @() #intialize result array. (errors, info, etc)
$servercheck = p4get-server
if ($servercheck.pingsuccess.equals($true))
{
	$authparentgroup = ("p4"+ $servercheck.server)
	write-progress -id 10 -activity "Performing user removal precheck." -status ("Retrieving authenticagion groups for depot " + $servercheck.server)
	$authchildgroups = p4get-authgroups
	foreach ($user in $users)
	{
		write-progress -id 10 -activity ("Removing user " + $user ) -status "Validating user object"
		$authgroupusermemberships = @() #cast as a blank array
		$aduser = $null
		$p4user = p4get-user $user #attempt to locate the user on the perforce depot and return the object.
		write-progress -id 10 -activity ("Removing user " + $user ) -status "Building group membership array."
		foreach ($group in $authchildgroups)
		{
			$groupmembership = get-qadgroupmember $group | ?{$user -eq $_.samaccountname}
			if ($groupmembership)
			{
				$authgroupusermemberships += $group.name
			}
		}
		if ($p4user -eq $null) #first case: if user does not exist in local perforce server, attempt to remove user from all local perforce groups.
		{
			write-progress -id 10 -activity ("Removing user " + $user ) -status "Removing user from perforce groups."
			if ($authgroupusermemberships)
			{
				$message = "User `'" + $user + "`' is not a Perforce user, but is a member of the following auth groups:`r`n" + ($authgroupusermemberships|%{($_ + "`r`n")})
				write-warning $message
				foreach ($group in $authgroupusermemberships)
				{
					try
					{
						p4remove-groupmember -users $user -group $group >$null #remote from all local perforce groups
					}
					catch
					{
						$message = "Could not remove user `'" + $user + "`' from local Perforce auth group `'"+ $group +"`' on depot `'" + $servercheck.server +"`'"
						write-error $message -category ObjectNotFound
					}
				}
			}
			write-progress -id 10 -activity ("Removing user " + $user ) -status "Validating user in Active Directory."
			$aduser = get-qaduser -samaccountname $user #attempt to fetch the user object from active directory.
						
			if ($aduser -eq $null) #second case: if the user does not exist in active directory, we will not attempt to remove from any active directory groups.
			{
				$message = "User `'" + $user + "`' is not an Active Directory user. No AD groups will change for this operation."
				write-warning $message
			}
			else #third case: if the user exists in active directory, attempt to remove from qualifying active directory groups. The groups in $authgroupusermemberships are all we care about.
			{
				write-progress -id 10 -activity ("Removing user " + $user ) -status "Removing user from active directory groups."
				foreach ($group in $authgroupusermemberships)
				{
					try
					{
						if ($group -ne $authparentgroup)
						{
							$message = "Removing a user from a role group can adversely affect the user's permission to resources.`r`nContinuing with this operation will remove user `'"+ $aduser.samaccountname + "`' from role `'" + $group + "`'"
							write-warning $message -warningaction Inquire
						}
						remove-qadgroupmember $group $aduser >$null
					}
					catch
					{
						$message = "Could not remove yyyy user `'" + $user + "`' from Active Directory Perforce auth group `'"+ $group +"`' on depot `'" + $servercheck.server +"`'"
						write-error $message -category ObjectNotFound
					}
				}
				
			}
		}
		else #fourth case: if the user exists in local Perforce server, attempt to delete user from p4 depot.
		{
			$cmd = "p4 user -d -f "+$p4user.user #create the delete command. We call $p4user.user because a valid object was returned when executing p4get-user
			
			$result = iex $cmd #execute the command and store the result.
			if (($result -match "file(s) open") -or ($result -match "can't be deleted")) #fifth case: if the result says we have open files, complain and rectify if requested.
			{
				if ($tryrevert.ispresent -eq $true) #if requested to try reverting, try the revert.
				{
					write-warning ("User removal failed. Attempting to revert all open files for user " + $p4user.user)
					write-progress -id 10 -activity ("Removing user " + $user ) -status "Reverting open files and shelves."
					p4revert-user -username $p4user.user -force #revert the user
					$result = iex $cmd #retry the user deletion command.
					if (($result -match "file(s) open") -or ($result -match "can't be deleted")) #still can't delete the user. fall completely out of the if case.
					{
						write-error $result -category InvalidOperation
					}
				}
				else #we were not asked to attempt a user revert, so just fall out of the case. The user open files must be manually rectified before attempting another user deletion.
				{
					write-error $result -category InvalidOperation 
				}
			}
			else #sixth case: the result from deleting the user was successful (no open files to revert), and we now just need to clean up the groups.
			{
				write-progress -id 10 -activity ("Removing user " + $user ) -status "Removing user from perforce groups."
				foreach ($group in $authgroupusermemberships) #sixth case sub 1: for each auth group in the server, remove the user from the perforce local auth groups.
				{
					try #try deleting the user from the local perforce auth group.
					{
						p4remove-groupmember -users $user -group $group > $null #remote from all local perforce groups
					}
					catch #catch any errors related to removing from local perforce auth group.
					{
						$message = "Could not remove user `'" + $user + "`' from local Perforce auth group `'"+ $group +"`' on depot `'" + $servercheck.server +"`'"
						write-error $message -category ObjectNotFound
					}
				}
				$aduser = get-qaduser -samaccountname $p4user.user
				if (($aduser)) #sixth case sub 2: if the user exists in active directory, attempt to remove from related auth groups.
				{
					write-progress -id 10 -activity ("Removing user " + $user ) -status "Removing user from Active Directory groups."
					foreach ($group in $authgroupusermemberships) #for each auth group in the server
					{
						try #try deleting the user from the active directory auth group.
						{
							if ($group -ne $authparentgroup)
							{
								$message = "Removing a user from a role group can adversely affect the user's permission to resources.`r`nContinuing with this operation will remove user `'"+ $aduser.samaccountname + "`' from role `'" + $group + "`'"
								write-warning $message -warningaction Inquire
							}
							remove-qadgroupmember $group $aduser >$null
						}
						catch #catch any errors related to removing from active directory perforce auth groups.
						{
							$message = "Could not remove user  `'" + $user + "`' from Active Directory Perforce auth group `'"+ $group +"`' on depot `'" + $servercheck.server +"`'"
							write-error $message -category ObjectNotFound
						}
					}
				}
				else #sixth case sub3: user does not exist in active directory.
					{
						$message = "User `'" + $p4user.user + "`' is not an Active Directory user. No AD groups will change for this operation."
						write-warning $message
					}
				}
			}
		}
	}

else #if pingresult is false (go way back to the top, the first if case after checking the server)
{
	write-error -message "This operation requires a valid depot login." -category InvalidOperation
}

# now, do something with our results.
if ($result -match "deleted")
{
	$message = "Perforce successfully removed `'" + $p4user.user + "`' from Perforce server."
}
if ($result -match "saved")
{
	$message = "An internal error has occured with this script. User not removed from Perforce server."
	write-error $message -category NotSpecified
}
if ($result -match "updated")
{
	$message = "An internal error has occured with this script. User not removed from Perforce server."
	write-error $message -category NotSpecified
}
if ($silent -eq $false) #if silent is false, send result.
{
	$result
}
write-progress -id 10 -completed -activity "Complete." -status "Complete."
}#end function p4remove-user