def enforce_conflict

def enforce_conflict_args()

in docker/generic/start_proxy.py [0:0]
75 lines of code
54 McCabe index (conditional complexity)

def enforce_conflict_args(args):
    if args.rollout_strategy == "managed":
        if args.version:
            return "Flag --version cannot be used if --rollout_strategy=managed."
        if args.service_json_path:
            return "Flag -R or --rollout_strategy must be fixed with --service_json_path."
    else:
        if not args.version and not args.service_json_path:
            return "Flag --version is required if --rollout_strategy=fixed."

    if args.service_json_path:
        if args.service:
            return "Flag --service cannot be used together with --service_json_path."
        if args.version:
            return "Flag --version cannot be used together with --service_json_path."

    if args.non_gcp:
        if args.service_account_key is None and not args.enable_application_default_credentials:
            return "If --non_gcp is specified, --service_account_key or --enable_application_default_credentials has to be specified, or GOOGLE_APPLICATION_CREDENTIALS has to set in os.environ."
        if args.service_account_key and args.enable_application_default_credentials:
            return "Only one of --service_account_key or --enable_application_default_credentials can be supplied for credentials at once."
        if not args.tracing_project_id:
            # for non gcp case, disable tracing if tracing project id is not provided.
            args.disable_tracing = True

    if not args.access_log and args.access_log_format:
        return "Flag --access_log_format has to be used together with --access_log."

    if args.ssl_port and args.ssl_server_cert_path:
        return "Flag --ssl_port is going to be deprecated, please use --ssl_server_cert_path only."
    if args.tls_mutual_auth and (args.ssl_backend_client_cert_path or args.ssl_client_cert_path):
        return "Flag --tls_mutual_auth is going to be deprecated, please use --ssl_backend_client_cert_path only."
    if (args.ssl_backend_client_root_certs_file or args.ssl_client_root_certs_file) and args.enable_grpc_backend_ssl:
        return "Flag --enable_grpc_backend_ssl are going to be deprecated, please use --ssl_backend_client_root_certs_file only."
    if args.generate_self_signed_cert and args.ssl_server_cert_path:
         return "Flag --generate_self_signed_cert and --ssl_server_cert_path cannot be used simutaneously."

    port_flags = []
    port_num = DEFAULT_LISTENER_PORT
    if args.http_port:
        port_flags.append("--http_port")
        port_num = args.http_port
    if args.http2_port:
        port_flags.append("--http2_port")
        port_num = args.http2_port
    if args.listener_port:
        port_flags.append("--listener_port")
        port_num = args.listener_port
    if args.ssl_port:
        port_flags.append("--ssl_port")
        port_num = args.ssl_port

    if len(port_flags) > 1:
        return "Multiple port flags {} are not allowed, use only the --listener_port flag".format(",".join(port_flags))
    elif port_num < 1024:
        return "Port {} is a privileged port. " \
               "For security purposes, the ESPv2 container cannot bind to it. " \
               "Use any port above 1024 instead.".format(port_num)

    if args.ssl_protocols and (args.ssl_minimum_protocol or args.ssl_maximum_protocol):
        return "Flag --ssl_protocols is going to be deprecated, please use --ssl_minimum_protocol and --ssl_maximum_protocol."

    if args.transcoding_ignore_query_parameters \
        and args.transcoding_ignore_unknown_query_parameters:
        return "Flag --transcoding_ignore_query_parameters cannot be used" \
               " together with --transcoding_ignore_unknown_query_parameters."

    if args.dns_resolver_addresses and args.dns:
        return "Flag --dns_resolver_addresses cannot be used together with" \
               " together with --dns."

    if args.ssl_backend_client_cert_path and args.ssl_client_cert_path:
        return "Flag --ssl_client_cert_path is renamed to " \
               "--ssl_backend_client_cert_path, only use the latter flag."

    if args.ssl_backend_client_root_certs_file and args.ssl_client_root_certs_file:
        return "Flag --ssl_client_root_certs_file is renamed to " \
               "--ssl_backend_client_root_certs_file, only use the latter flag."

    # health_check_grpc_backend flags
    if args.health_check_grpc_backend and not args.backend.startswith("grpc"):
        return "Flag --health_check_grpc_backend requires the flag --backend to use grpc scheme."
    if not args.health_check_grpc_backend and args.health_check_grpc_backend_interval:
        return "Flag --health_check_grpc_backend_interval requires the flag --health_check_grpc_backend to be used."
    if not args.health_check_grpc_backend and args.health_check_grpc_backend_service:
        return "Flag --health_check_grpc_backend_service requires the flag --health_check_grpc_backend to be used."
    if not args.health_check_grpc_backend and args.health_check_grpc_backend_no_traffic_interval:
        return "Flag --health_check_grpc_backend_no_traffic_interval requires the flag --health_check_grpc_backend to be used."

    return None