
function New-CosmosDbBackoffPolicy
        $MaxRetries = 10,

        [ValidateSet('Default', 'Additive', 'Linear', 'Exponential', 'Random')]
        $Method = 'Default',

        [ValidateRange(0, 3600000)]
        $Delay = 0

    $backoffPolicy = New-Object -TypeName 'CosmosDB.BackoffPolicy' -Property @{
        MaxRetries = $MaxRetries
        Method     = $Method
        Delay      = $Delay

    return $backoffPolicy

function New-CosmosDbContextToken
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Scope = 'Function')]
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        [ValidateRange(600, 18000)]
        $TokenExpiry = 3600,

        [Parameter(Mandatory = $true)]

    $contextToken = New-Object -TypeName 'CosmosDB.ContextToken' -Property @{
        Resource  = $Resource
        TimeStamp = $TimeStamp
        Expires   = $TimeStamp.AddSeconds($TokenExpiry)
        Token     = $Token

    return $contextToken

function New-CosmosDbContext
    [CmdletBinding(DefaultParameterSetName = 'Account')]
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Scope = 'Function')]
        [Parameter(Mandatory = $true, ParameterSetName = 'Account')]
        [Parameter(Mandatory = $true, ParameterSetName = 'Token')]
        [Parameter(Mandatory = $true, ParameterSetName = 'AzureAccount')]


        [Parameter(Mandatory = $true, ParameterSetName = 'Account')]

        [Parameter(ParameterSetName = 'Account')]
        [ValidateSet('master', 'resource')]
        $KeyType = 'master',

        [Parameter(Mandatory = $true, ParameterSetName = 'AzureAccount')]

        [Parameter(ParameterSetName = 'AzureAccount')]
        [ValidateSet('PrimaryMasterKey', 'SecondaryMasterKey', 'PrimaryReadonlyMasterKey', 'SecondaryReadonlyMasterKey')]
        $MasterKeyType = 'PrimaryMasterKey',

        [Parameter(ParameterSetName = 'Emulator')]

        [Parameter(ParameterSetName = 'Emulator')]
        $Port = 8081,

        [Parameter(Mandatory = $true, ParameterSetName = 'Token')]
        [Parameter(ParameterSetName = 'Emulator')]


    switch ($PSCmdlet.ParameterSetName)
            $Account = 'localhost'

            # This is a publically known fixed master key (see
            $Key = ConvertTo-SecureString `
                -String 'C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==' `
                -AsPlainText `

            $BaseUri = [uri]::new('https://localhost:{0}' -f $Port)

                $null = Get-AzureRmContext -ErrorAction SilentlyContinue
                $null = Add-AzureRmAccount

            $action = 'listKeys'
            if ($MasterKeyType -in ('PrimaryReadonlyMasterKey', 'SecondaryReadonlyMasterKey'))
                # Use the readonlykey Action if a ReadOnly key is required
                $action = 'readonlykeys'

            $resource = Invoke-AzureRmResourceAction `
                -ResourceGroupName $ResourceGroup `
                -Name $Account `
                -ResourceType "Microsoft.DocumentDb/databaseAccounts" `
                -ApiVersion "2015-04-08" `
                -Action $action `
                -Force `
                -ErrorAction Stop

            if ($resource)
                $Key = ConvertTo-SecureString `
                    -String ($resource.$MasterKeyType) `
                    -AsPlainText `

            $BaseUri = (Get-CosmosDbUri -Account $Account)

            $BaseUri = (Get-CosmosDbUri -Account $Account)

            $BaseUri = (Get-CosmosDbUri -Account $Account)

    $context = New-Object -TypeName 'CosmosDB.Context' -Property @{
        Account       = $Account
        Database      = $Database
        Key           = $Key
        KeyType       = $KeyType
        BaseUri       = $BaseUri
        Token         = $Token
        BackoffPolicy = $BackoffPolicy

    return $context

function Get-CosmosDbUri
        [Parameter(Mandatory = $true)]

        $BaseUri = ''

    return [uri]::new(('https://{0}.{1}' -f $Account, $BaseUri))

function ConvertTo-CosmosDbTokenDateString
        [Parameter(Mandatory = $true)]

    return $Date.ToUniversalTime().ToString("r", [System.Globalization.CultureInfo]::InvariantCulture)

function New-CosmosDbAuthorizationToken
        [Parameter(Mandatory = $true)]

        [ValidateSet('master', 'resource')]
        $KeyType = 'master',

        [ValidateSet('', 'Delete', 'Get', 'Head', 'Merge', 'Options', 'Patch', 'Post', 'Put', 'Trace')]
        $Method = '',

        $ResourceType = '',

        $ResourceId = '',

        [Parameter(Mandatory = $true)]

        $TokenVersion = '1.0'

    Write-Verbose -Message $($LocalizedData.CreateAuthorizationToken -f $Method, $ResourceType, $ResourceId, $Date)

    $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Key)
    $decryptedKey = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
    $base64Key = [System.Convert]::FromBase64String($decryptedKey)
    $hmacSha256 = New-Object -TypeName System.Security.Cryptography.HMACSHA256 -ArgumentList (, $base64Key)
    $dateString = ConvertTo-CosmosDbTokenDateString -Date $Date
    $payLoad = @(
        $Method.ToLowerInvariant() + "`n" + `
            $ResourceType.ToLowerInvariant() + "`n" + `
            $ResourceId + "`n" + `
            $dateString.ToLowerInvariant() + "`n" + `
            "" + "`n"

    $body = [System.Text.Encoding]::UTF8.GetBytes($payLoad)
    $hashPayLoad = $hmacSha256.ComputeHash($body)
    $signature = [Convert]::ToBase64String($hashPayLoad)

    Add-Type -AssemblyName 'System.Web'
    $token = [System.Web.HttpUtility]::UrlEncode(('type={0}&ver={1}&sig={2}' -f $KeyType, $TokenVersion, $signature))
    return $token

function Invoke-CosmosDbRequest
    [CmdletBinding(DefaultParameterSetName = 'Context')]
        [Parameter(Mandatory = $true, ParameterSetName = 'Context')]

        [Parameter(Mandatory = $true, ParameterSetName = 'Account')]



        [ValidateSet('master', 'resource')]
        $KeyType = 'master',

        [ValidateSet('Delete', 'Get', 'Head', 'Merge', 'Options', 'Patch', 'Post', 'Put', 'Trace')]
        $Method = 'Get',

        [Parameter(Mandatory = $True)]
        [ValidateSet('attachments', 'colls', 'dbs', 'docs', 'users', 'permissions', 'triggers', 'sprocs', 'udfs', 'offers')]


        $Body = '',

        [ValidateSet('2014-08-21', '2015-04-08', '2015-06-03', '2015-08-06', '2015-12-16', '2016-07-11', '2017-01-19', '2017-02-22')]
        $ApiVersion = '2017-02-22',

        $Headers = @{},

        $ContentType = 'application/json'

    if ($PSCmdlet.ParameterSetName -eq 'Account')
        $Context = New-CosmosDbContext -Account $Account -Database $Database -Key $Key -KeyType $KeyType

    if (-not ($PSBoundParameters.ContainsKey('Database')))
        $Database = $Context.Database

    # Generate the resource link value that will be used in the URI and to generate the resource id
    switch ($resourceType)
            # Request for a database object (not containined in a database)
            if ([String]::IsNullOrEmpty($ResourcePath))
                $ResourceLink = 'dbs'
                $resourceLink = $ResourcePath
                $resourceId = $resourceLink

            # Request for an offer object (not contained in a database)
            if ([String]::IsNullOrEmpty($ResourcePath))
                $ResourceLink = 'offers'
                $resourceLink = $ResourcePath
                $resourceId = ($ResourceLink -split '/')[1].ToLowerInvariant()

            # Request for an object that is within a database
            $resourceLink = ('dbs/{0}' -f $Database)

            if ($PSBoundParameters.ContainsKey('ResourcePath'))
                $resourceLink = ('{0}/{1}' -f $resourceLink, $ResourcePath)
                $resourceLink = ('{0}/{1}' -f $resourceLink, $ResourceType)

            # Generate the resource Id from the resource link value
            $resourceElements = [System.Collections.ArrayList] ($resourceLink -split '/')

            if (($resourceElements.Count % 2) -eq 0)
                $resourceId = $resourceLink
                $resourceElements.RemoveAt($resourceElements.Count - 1)
                $resourceId = $resourceElements -Join '/'

    # Generate the URI from the base connection URI and the resource link
    $baseUri = $Context.BaseUri.ToString()
    $uri = [uri]::New(('{0}{1}' -f $baseUri, $resourceLink))

    # Determine the token to use to gain access to the resource
    $token = $null

    if ($null -ne $Context.Token)
        Write-Verbose -Message $($LocalizedData.FindResourceTokenInContext -f $resourceLink)

        # Find the most recent token non-expired matching the resource link
        $matchToken = $context.Token |
            Where-Object -FilterScript { $_.Resource -eq $resourceLink }

        if ($matchToken)
            # One or more matching tokens could be found
            Write-Verbose -Message $($LocalizedData.FoundResourceTokenInContext -f $matchToken.Count, $matchToken.Resource)

            $now = (Get-Date)
            $validToken = $matchToken |
                Where-Object -FilterScript { $_.Expires -gt $now } |
                Sort-Object -Property Expires -Descending |
                Select-Object -First 1

            if ($validToken)
                # One or more matching tokens could be found
                Write-Verbose -Message $($LocalizedData.FoundUnExpiredResourceTokenInContext -f $validToken.Resource, $validToken.TimeStamp)

                $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($validToken.Token)
                $decryptedToken = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
                $token = [System.Web.HttpUtility]::UrlEncode($decryptedToken)
                $date = $validToken.TimeStamp
                $dateString = ConvertTo-CosmosDbTokenDateString -Date $date
                # No un-expired matching token could be found, so fall back to using a master key if possible
                Write-Verbose -Message $($LocalizedData.NoMatchingUnexpiredResourceTokenInContext -f $resourceLink)
            # No matching token could be found, so fall back to using a master key if possible
            Write-Verbose -Message $($LocalizedData.NotFoundResourceTokenInContext -f $resourceLink)

    if ($null -eq $token)
            A token in the context that matched the resource link could not
            be found. So use the master key to generate the resource link.

        if (-not ($PSBoundParameters.ContainsKey('Key')))
            if (-not [System.String]::IsNullOrEmpty($Context.Key))
                $Key = $Context.Key

        if ([System.String]::IsNullOrEmpty($Key))
            New-CosmosDbInvalidOperationException -Message ($LocalizedData.ErrorAuthorizationKeyEmpty)

        # Generate the date used for the authorization token
        $date = Get-Date
        $dateString = ConvertTo-CosmosDbTokenDateString -Date $date

        $token = New-CosmosDbAuthorizationToken `
            -Key $Key `
            -KeyType $KeyType `
            -Method $Method `
            -ResourceType $ResourceType `
            -ResourceId $resourceId `
            -Date $date

    $Headers += @{
        'authorization' = $token
        'x-ms-date'     = $dateString
        'x-ms-version'  = $ApiVersion

    $invokeWebRequestParameters = @{
        Uri         = $uri
        Headers     = $Headers
        Method      = $method
        ContentType = $ContentType

    if ($Method -in ('Put', 'Post', 'Patch'))
        if ($Method -eq 'Patch')
            $invokeWebRequestParameters['contentType'] = 'application/json-patch+json'

        $invokeWebRequestParameters += @{
            Body = $Body

    $requestComplete = $false
    $retry = 0
    $fatal = $true


            $requestResult = Invoke-WebRequest -UseBasicParsing @invokeWebRequestParameters
            $requestComplete = $true
        catch [System.Net.WebException]
            if ($_.Exception.Response.StatusCode -eq 429)
                    The exception was caused by exceeding provisioned throughput
                    so determine is we should delay and try again or exit

                $delay = Get-CosmosDbBackoffDelay `
                    -BackOffPolicy $Context.BackoffPolicy `
                    -Retry $retry `
                    -RequestedDelay ([System.Int32] ($_.Exception.Response.Headers['x-ms-retry-after-ms']))

                # A null delay means retries have been exceeded or no back-off policy specified
                if ($null -ne $delay)
                    Write-Verbose -Message $($LocalizedData.WaitingBackoffPolicyDelay -f $retry, $delay)
                    Start-Sleep -Milliseconds $delay

            if ($_.Exception.Response)
                    Write out additional exception information into the verbose stream
                    In a future version a custom exception type for CosmosDB that
                    contains this additional information.

                $exceptionStream = $_.Exception.Response.GetResponseStream()
                $streamReader = New-Object -TypeName System.IO.StreamReader -ArgumentList $exceptionStream
                $exceptionResponse = $streamReader.ReadToEnd()

                if ($exceptionResponse)
                    Write-Verbose -Message $exceptionResponse

            # A non-recoverable exception occurred
            $fatal = $true

            Throw $_
            # A non-recoverable exception occurred
            $fatal = $true

            Throw $_
    } while ($requestComplete -eq $false -and -not $fatal)

    # Display the Request Charge as a verbose message
    $requestCharge = $requestResult.Headers.'x-ms-request-charge'
    if ($requestCharge)
        Write-Verbose -Message $($LocalizedData.RequestChargeResults -f $method, $uri, $requestCharge)

    return $requestResult

function Get-CosmosDbBackoffDelay

        $Retry = 0,

        $RequestedDelay = 0

    if ($null -ne $BackoffPolicy)
        # A back-off policy has been provided
        Write-Verbose -Message $($LocalizedData.CollectionProvisionedThroughputExceededWithBackoffPolicy)

        if ($Retry -le $BackoffPolicy.MaxRetries)
            switch ($BackoffPolicy.Method)
                    $backoffPolicyDelay = $backoffPolicy.Delay

                    $backoffPolicyDelay = $RequestedDelay + $backoffPolicy.Delay

                    $backoffPolicyDelay = $backoffPolicy.Delay * ($Retry + 1)

                    $backoffPolicyDelay = $backoffPolicy.Delay * [Math]::pow(($Retry + 1),2)

                    $backoffDelayMin = -($backoffPolicy.Delay/2)
                    $backoffDelayMax = $backoffPolicy.Delay/2
                    $backoffPolicyDelay = $backoffPolicy.Delay + (Get-Random -Minimum $backoffDelayMin -Maximum $backoffDelayMax)

            if ($backoffPolicyDelay -gt $RequestedDelay)
                $delay = $backoffPolicyDelay
                Write-Verbose -Message $($LocalizedData.BackOffPolicyAppliedPolicyDelay -f $BackoffPolicy.Method, $backoffPolicyDelay, $requestedDelay)
                $delay = $requestedDelay
                Write-Verbose -Message $($LocalizedData.BackOffPolicyAppliedRequestedDelay -f $BackoffPolicy.Method, $backoffPolicyDelay, $requestedDelay)

            return $delay
            Write-Verbose -Message $($LocalizedData.CollectionProvisionedThroughputExceededMaxRetriesHit -f $BackoffPolicy.MaxRetries)
            return $null
        # A back-off policy has not been defined
        Write-Verbose -Message $($LocalizedData.CollectionProvisionedThroughputExceededNoBackoffPolicy)
        return $null

function New-CosmosDbInvalidArgumentException
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

    $argumentException = New-Object -TypeName 'ArgumentException' -ArgumentList @( $Message,
        $ArgumentName )
    $newObjectParams = @{
        TypeName     = 'System.Management.Automation.ErrorRecord'
        ArgumentList = @( $argumentException, $ArgumentName, 'InvalidArgument', $null )
    $errorRecord = New-Object @newObjectParams

    throw $errorRecord

function New-CosmosDbInvalidOperationException


    if ($null -eq $Message)
        $invalidOperationException = New-Object -TypeName 'InvalidOperationException'
    elseif ($null -eq $ErrorRecord)
        $invalidOperationException =
        New-Object -TypeName 'InvalidOperationException' -ArgumentList @( $Message )
        $invalidOperationException =
        New-Object -TypeName 'InvalidOperationException' -ArgumentList @( $Message,
            $ErrorRecord.Exception )

    $newObjectParams = @{
        TypeName     = 'System.Management.Automation.ErrorRecord'
        ArgumentList = @( $invalidOperationException.ToString(), 'MachineStateIncorrect',
            'InvalidOperation', $null )
    $errorRecordToThrow = New-Object @newObjectParams
    throw $errorRecordToThrow