func()

in tools/ctpu/commands/auth.go [270:354]

• 75 lines of code
• 23 McCabe index (conditional complexity)

func (c *authAddGcs) Execute(ctx context.Context, flags *flag.FlagSet, args ...interface{}) subcommands.ExitStatus {
	project, err := c.cp.GetProject()
	if err != nil {
		log.Fatalf("Error retrieving project metadata for project %q: %v", c.cfg.Project, err)
	}
	sa := makeTPUServiceName(project)

	policy, err := c.cp.GetProjectPolicy()
	if err != nil {
		log.Fatalf("Error retrieving project IAM policy for project: %q: %v", c.cfg.Project, err)
	}

	var bindingToModify *cloudresourcemanager.Binding
	for _, b := range policy.Bindings {
		if b.Role == storageRole {
			if bindingHasServiceAccount(sa, b) {
				fmt.Printf("Cloud TPUs in project %q already have access to Cloud Storage.\nNo changes were made.\n", c.cfg.Project)
				return subcommands.ExitSuccess
			}
			bindingToModify = b
		}
	}

	if flags.NArg() == 0 {
		if c.readonly {
			fmt.Printf("--readonly is not compatible with project-wide IAM roles.\n")
			return subcommands.ExitUsageError
		}
		if !c.skipConf {
			ok, err := askForConfirmation("Are you sure you want to set project-wide permissions?")
			if err != nil {
				log.Fatalf("Error while asking for confirmation: %v", err)
				return subcommands.ExitFailure
			}
			if !ok {
				fmt.Printf("No changes have been made; exiting!\n")
				return subcommands.ExitUsageError
			}
		}

		// Set project-wide permissions.
		if bindingToModify == nil {
			bindingToModify = &cloudresourcemanager.Binding{Role: storageRole}
			policy.Bindings = append(policy.Bindings, bindingToModify)
		}
		bindingToModify.Members = append(bindingToModify.Members, sa)
		err = c.cp.SetProjectPolicy(policy)
		if err != nil {
			log.Fatalf("Error setting the IAM policy for project %q: %v", c.cfg.Project, err)
		}
		return subcommands.ExitSuccess
	} else if flags.NArg() == 1 {
		bucketName := flags.Arg(0)
		aclRules, err := c.cp.GetBucketACL(ctx, bucketName)
		if err != nil {
			log.Fatalf("Could not retrieve ACLs for bucket %q: %v", bucketName, err)
		}

		tpuEntity := storage.ACLEntity(fmt.Sprintf("user-service-%d@cloud-tpu.iam.gserviceaccount.com", project.ProjectNumber))

		for _, r := range aclRules {
			if r.Entity == tpuEntity {
				if r.Role == storage.RoleOwner || r.Role == roleWriter || (c.readonly && r.Role == storage.RoleReader) {
					fmt.Printf("Cloud TPUs in project %q already have permissions on bucket %q.\nNo changes have been made.\n", c.cfg.Project, bucketName)
					return subcommands.ExitSuccess
				}
			}
		}

		setRole := storage.RoleOwner
		if c.readonly {
			setRole = storage.RoleReader
		}
		err = c.cp.SetBucketACL(ctx, bucketName, tpuEntity, setRole)

		if err != nil {
			log.Fatalf("Error setting ACL on bucket %q: %v", bucketName, err)
		}

		return subcommands.ExitSuccess
	} else {
		fmt.Printf("Usage error: too many arguments supplied.\n")
		return subcommands.ExitUsageError
	}
}