ROX-10303: Replace errox wrappers (#1389)

mtodor · web-flow · commit 3bbdfd71de4c · 2022-04-28T10:12:11.000+02:00
* Remove NewErrNoCredentials
* Remove NewErrInvariantViolation
* Remove NewErrNotAuthorized
* Remove NewErrInvalidArgs
* Fix regex for roxctl wrapcheck linter 
* Updated error messages - review comment discussion_r859310460
diff --git a/.golangci.yml b/.golangci.yml
@@ -80,7 +80,7 @@ linters-settings:
   wrapcheck:
     ignoreSigRegexps:
       - utils\.Should
-      - errox\.New.*
+      - errox\..+\.CausedBy(f)?
       - retry\.MakeRetryable
       - policy\.NewErr.*
 
diff --git a/central/apitoken/service/service_impl.go b/central/apitoken/service/service_impl.go
@@ -101,7 +101,7 @@ func (s *serviceImpl) GenerateToken(ctx context.Context, req *v1.GenerateTokenRe
 		return nil, err
 	}
 	if err := verifyNoPrivilegeEscalation(id.Roles(), roles); err != nil {
-		return nil, errox.NewErrNotAuthorized(err.Error())
+		return nil, errox.NotAuthorized.CausedBy(err.Error())
 	}
 
 	token, metadata, err := s.backend.IssueRoleToken(ctx, req.GetName(), utils.RoleNames(roles))
diff --git a/central/authprovider/service/service_impl.go b/central/authprovider/service/service_impl.go
@@ -70,7 +70,7 @@ func (s *serviceImpl) AuthFuncOverride(ctx context.Context, fullMethodName strin
 // GetAuthProvider retrieves the authProvider based on the id passed
 func (s *serviceImpl) GetAuthProvider(_ context.Context, request *v1.GetAuthProviderRequest) (*storage.AuthProvider, error) {
 	if request.GetId() == "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id is required")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")
 	}
 	authProvider := s.registry.GetProvider(request.GetId())
 	if authProvider == nil {
@@ -158,37 +158,37 @@ func (s *serviceImpl) GetAuthProviders(_ context.Context, request *v1.GetAuthPro
 func (s *serviceImpl) PostAuthProvider(ctx context.Context, request *v1.PostAuthProviderRequest) (*storage.AuthProvider, error) {
 	providerReq := request.GetProvider()
 	if providerReq.GetName() == "" {
-		return nil, errox.NewErrInvalidArgs("no auth provider name specified")
+		return nil, errox.InvalidArgs.CausedBy("no auth provider name specified")
 	}
 	if providerReq.GetId() != "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id must be empty")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is not empty")
 	}
 	if providerReq.GetLoginUrl() != "" {
-		return nil, errox.NewErrInvalidArgs("auth provider loginUrl field must be empty")
+		return nil, errox.InvalidArgs.CausedBy("auth provider loginUrl field is not empty")
 	}
 
 	provider, err := s.registry.CreateProvider(ctx, authproviders.WithStorageView(providerReq), authproviders.WithValidateCallback(datastore.Singleton()))
 	if err != nil {
-		return nil, errors.Wrap(errox.NewErrInvalidArgs(err.Error()), "creating auth provider instance")
+		return nil, errors.Wrap(errox.InvalidArgs.CausedBy(err.Error()), "creating auth provider instance")
 	}
 	return provider.StorageView(), nil
 }
 
 func (s *serviceImpl) PutAuthProvider(ctx context.Context, request *storage.AuthProvider) (*storage.AuthProvider, error) {
 	if request.GetId() == "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id must not be empty")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")
 	}
 
 	provider := s.registry.GetProvider(request.GetId())
 	if provider == nil {
-		return nil, errox.NewErrInvalidArgs(fmt.Sprintf("auth provider with id %q does not exist", request.GetId()))
+		return nil, errox.InvalidArgs.CausedBy(fmt.Sprintf("auth provider with id %q does not exist", request.GetId()))
 	}
 
 	// Attempt to merge configs.
 	request.Config = provider.MergeConfigInto(request.GetConfig())
 
 	if err := s.registry.ValidateProvider(ctx, authproviders.WithStorageView(request)); err != nil {
-		return nil, errox.NewErrInvalidArgs(fmt.Sprintf("auth provider validation check failed: %v", err))
+		return nil, errox.InvalidArgs.CausedBy(fmt.Sprintf("auth provider validation check failed: %v", err))
 	}
 
 	// This will not log anyone out as the provider was not validated and thus no one has ever logged into it
@@ -198,14 +198,14 @@ func (s *serviceImpl) PutAuthProvider(ctx context.Context, request *storage.Auth
 
 	provider, err := s.registry.CreateProvider(ctx, authproviders.WithStorageView(request), authproviders.WithValidateCallback(datastore.Singleton()))
 	if err != nil {
-		return nil, errors.Wrap(errox.NewErrInvalidArgs(err.Error()), "creating auth provider instance")
+		return nil, errors.Wrap(errox.InvalidArgs.CausedBy(err.Error()), "creating auth provider instance")
 	}
 	return provider.StorageView(), nil
 }
 
 func (s *serviceImpl) UpdateAuthProvider(ctx context.Context, request *v1.UpdateAuthProviderRequest) (*storage.AuthProvider, error) {
 	if request.GetId() == "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id must not be empty")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")
 	}
 
 	var options []authproviders.ProviderOption
@@ -217,15 +217,15 @@ func (s *serviceImpl) UpdateAuthProvider(ctx context.Context, request *v1.Update
 	}
 	provider, err := s.registry.UpdateProvider(ctx, request.GetId(), options...)
 	if err != nil {
-		return nil, errors.Wrap(errox.NewErrInvalidArgs(err.Error()), "updating auth provider")
+		return nil, errors.Wrap(errox.InvalidArgs.CausedBy(err.Error()), "updating auth provider")
 	}
 	return provider.StorageView(), nil
 }
 
 // DeleteAuthProvider deletes an auth provider from the system
 func (s *serviceImpl) DeleteAuthProvider(ctx context.Context, request *v1.ResourceByID) (*v1.Empty, error) {
 	if request.GetId() == "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id is required")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")
 	}
 
 	// Get auth provider.
diff --git a/central/cluster/datastore/datastore_impl.go b/central/cluster/datastore/datastore_impl.go
@@ -929,7 +929,7 @@ func (ds *datastoreImpl) LookupOrCreateClusterFromConfig(ctx context.Context, cl
 
 func normalizeCluster(cluster *storage.Cluster) error {
 	if cluster == nil {
-		return errox.NewErrInvariantViolation("cannot normalize nil cluster object")
+		return errox.InvariantViolation.CausedBy("cannot normalize nil cluster object")
 	}
 
 	cluster.CentralApiEndpoint = strings.TrimPrefix(cluster.GetCentralApiEndpoint(), "https://")
@@ -947,7 +947,7 @@ func validateInput(cluster *storage.Cluster) error {
 // `cluster.* bool` flags remain untouched.
 func addDefaults(cluster *storage.Cluster) error {
 	if cluster == nil {
-		return errox.NewErrInvariantViolation("cannot enrich nil cluster object")
+		return errox.InvariantViolation.CausedBy("cannot enrich nil cluster object")
 	}
 	// For backwards compatibility reasons, if Collection Method is not set then honor defaults for runtime support
 	if cluster.GetCollectionMethod() == storage.CollectionMethod_UNSET_COLLECTION {
diff --git a/central/compliance/standards/utils.go b/central/compliance/standards/utils.go
@@ -34,5 +34,5 @@ func IsSupported(standardID string) bool {
 
 // UnSupportedStandardsErr builds error message for unsupported compliance standards and returns the error
 func UnSupportedStandardsErr(unsupported ...string) error {
-	return errox.NewErrInvalidArgs(fmt.Sprintf("unsupported standard(s): %+v. Supported standards are %+v", unsupported, GetSupportedStandards()))
+	return errox.InvalidArgs.CausedBy(fmt.Sprintf("unsupported standard(s): %+v. Supported standards are %+v", unsupported, GetSupportedStandards()))
 }
diff --git a/central/detection/service/service_impl.go b/central/detection/service/service_impl.go
@@ -126,7 +126,7 @@ func (s *serviceImpl) DetectBuildTime(ctx context.Context, req *apiV1.BuildDetec
 		}
 	}
 	if image.GetName() == nil {
-		return nil, errox.NewErrInvalidArgs("image or image_name must be specified")
+		return nil, errox.InvalidArgs.CausedBy("image or image_name must be specified")
 	}
 	// This is a workaround for those who post the full image, but don't fill in fullname
 	if name := image.GetName(); name != nil && name.GetFullName() == "" {
@@ -288,7 +288,7 @@ func getObjectsFromList(list *coreV1.List) ([]k8sRuntime.Object, []string, error
 // DetectDeployTimeFromYAML runs detection on a deployment.
 func (s *serviceImpl) DetectDeployTimeFromYAML(ctx context.Context, req *apiV1.DeployYAMLDetectionRequest) (*apiV1.DeployDetectionResponse, error) {
 	if req.GetYaml() == "" {
-		return nil, errox.NewErrInvalidArgs("yaml field must be specified in detection request")
+		return nil, errox.InvalidArgs.CausedBy("yaml field must be specified in detection request")
 	}
 
 	resources, ignoredObjectRefs, err := getObjectsFromYAML(req.GetYaml())
@@ -347,7 +347,7 @@ func (s *serviceImpl) populateDeploymentWithClusterInfo(ctx context.Context, clu
 // DetectDeployTime runs detection on a deployment.
 func (s *serviceImpl) DetectDeployTime(ctx context.Context, req *apiV1.DeployDetectionRequest) (*apiV1.DeployDetectionResponse, error) {
 	if req.GetDeployment() == nil {
-		return nil, errox.NewErrInvalidArgs("deployment must be passed to deploy time detection")
+		return nil, errox.InvalidArgs.CausedBy("deployment must be passed to deploy time detection")
 	}
 	if err := s.populateDeploymentWithClusterInfo(ctx, req.GetClusterId(), req.GetDeployment()); err != nil {
 		return nil, err
diff --git a/central/networkpolicies/service/service_impl.go b/central/networkpolicies/service/service_impl.go
@@ -1075,7 +1075,7 @@ func compileValidateYaml(simulationYaml string) ([]*storage.NetworkPolicy, error
 	// Check that all resulting policies have namespaces.
 	for _, policy := range policies {
 		if policy.GetNamespace() == "" {
-			return nil, errox.NewErrInvalidArgs("yamls tested against must apply to a namespace")
+			return nil, errox.InvalidArgs.CausedBy("yamls tested against must apply to a namespace")
 		}
 	}
 
diff --git a/central/policy/service/service_impl.go b/central/policy/service/service_impl.go
@@ -853,7 +853,7 @@ func (s *serviceImpl) PolicyFromSearch(ctx context.Context, request *v1.PolicyFr
 func (s *serviceImpl) parsePolicy(ctx context.Context, searchString string) (*storage.Policy, []search.FieldLabel, bool, error) {
 	// Handle empty input query case.
 	if len(searchString) == 0 {
-		return nil, nil, false, errox.NewErrInvalidArgs("can not generate a policy from an empty query")
+		return nil, nil, false, errox.InvalidArgs.CausedBy("can not generate a policy from an empty query")
 	}
 	// Have a filled query, parse it.
 	fieldMap, err := getFieldMapFromQueryString(searchString)
diff --git a/central/role/service/service_impl.go b/central/role/service/service_impl.go
@@ -113,7 +113,7 @@ func (s *serviceImpl) CreateRole(ctx context.Context, roleRequest *v1.CreateRole
 
 	// Check role request correctness.
 	if role.GetName() != "" && role.GetName() != roleRequest.GetName() {
-		return nil, errox.NewErrInvalidArgs("different role names in path and body")
+		return nil, errox.InvalidArgs.CausedBy("different role names in path and body")
 	}
 	role.Name = roleRequest.GetName()
 
@@ -208,7 +208,7 @@ func (s *serviceImpl) ListPermissionSets(ctx context.Context, _ *v1.Empty) (*v1.
 
 func (s *serviceImpl) PostPermissionSet(ctx context.Context, permissionSet *storage.PermissionSet) (*storage.PermissionSet, error) {
 	if permissionSet.GetId() != "" {
-		return nil, errox.NewErrInvalidArgs("setting id field is not allowed")
+		return nil, errox.InvalidArgs.CausedBy("setting id field is not allowed")
 	}
 	permissionSet.Id = rolePkg.GeneratePermissionSetID()
 
@@ -274,7 +274,7 @@ func (s *serviceImpl) ListSimpleAccessScopes(ctx context.Context, _ *v1.Empty) (
 
 func (s *serviceImpl) PostSimpleAccessScope(ctx context.Context, scope *storage.SimpleAccessScope) (*storage.SimpleAccessScope, error) {
 	if scope.GetId() != "" {
-		return nil, errox.NewErrInvalidArgs("setting id field is not allowed")
+		return nil, errox.InvalidArgs.CausedBy("setting id field is not allowed")
 	}
 	scope.Id = rolePkg.GenerateAccessScopeID()
 
diff --git a/central/sensor/service/service_impl.go b/central/sensor/service/service_impl.go
@@ -70,7 +70,7 @@ func (s *serviceImpl) Communicate(server central.SensorService_CommunicateServer
 
 	svc := identity.Service()
 	if svc == nil || svc.GetType() != storage.ServiceType_SENSOR_SERVICE {
-		return errox.NewErrNotAuthorized("only sensor may access this API")
+		return errox.NotAuthorized.CausedBy("only sensor may access this API")
 	}
 
 	sensorHello, sensorSupportsHello, err := receiveSensorHello(server)
diff --git a/central/sensorupgrade/controlservice/service_impl.go b/central/sensorupgrade/controlservice/service_impl.go
@@ -36,12 +36,12 @@ func clusterIDFromCtx(ctx context.Context) (string, error) {
 
 	svc := id.Service()
 	if svc == nil || svc.GetType() != storage.ServiceType_SENSOR_SERVICE {
-		return "", errox.NewErrNotAuthorized("only sensor/upgrader may access this API")
+		return "", errox.NotAuthorized.CausedBy("only sensor/upgrader may access this API")
 	}
 
 	clusterID := svc.GetId()
 	if clusterID == "" {
-		return "", errox.NewErrNotAuthorized("only sensors with a valid cluster ID may access this API")
+		return "", errox.NotAuthorized.CausedBy("only sensors with a valid cluster ID may access this API")
 	}
 	return clusterID, nil
 }
diff --git a/central/signatureintegration/datastore/datastore_impl.go b/central/signatureintegration/datastore/datastore_impl.go
@@ -67,7 +67,7 @@ func (d *datastoreImpl) AddSignatureIntegration(ctx context.Context, integration
 	}
 	integration.Id = GenerateSignatureIntegrationID()
 	if err := ValidateSignatureIntegration(integration); err != nil {
-		return nil, errox.NewErrInvalidArgs(err.Error())
+		return nil, errox.InvalidArgs.CausedBy(err.Error())
 	}
 
 	// Protect against TOCTOU race condition.
@@ -93,7 +93,7 @@ func (d *datastoreImpl) UpdateSignatureIntegration(ctx context.Context, integrat
 		return false, err
 	}
 	if err := ValidateSignatureIntegration(integration); err != nil {
-		return false, errox.NewErrInvalidArgs(err.Error())
+		return false, errox.InvalidArgs.CausedBy(err.Error())
 	}
 
 	// Protect against TOCTOU race condition.
diff --git a/pkg/auth/authproviders/provider_impl.go b/pkg/auth/authproviders/provider_impl.go
@@ -117,7 +117,7 @@ func (p *providerImpl) GetOrCreateBackend(ctx context.Context) (Backend, error)
 
 	// Backend factories are not guaranteed to survive product upgrades or restarts.
 	if p.backendFactory == nil {
-		return nil, errox.NewErrInvariantViolation(
+		return nil, errox.InvariantViolation.CausedBy(
 			"the backend for this authentication provider cannot be instantiated;" +
 				" this is probably because of a recent upgrade or a configuration change")
 	}
diff --git a/pkg/auth/authproviders/registry_httphandler.go b/pkg/auth/authproviders/registry_httphandler.go
@@ -275,7 +275,7 @@ func (r *registryImpl) providersHTTPHandler(w http.ResponseWriter, req *http.Req
 
 	userInfo := user.GetUserInfo()
 	if userInfo == nil {
-		err := errox.NewErrNotAuthorized("failed to get user info")
+		err := errox.NotAuthorized.CausedBy("failed to get user info")
 		r.error(w, err, typ, clientState, testMode)
 		return
 	}
diff --git a/pkg/errox/errors.go b/pkg/errox/errors.go
@@ -52,23 +52,3 @@ func GenericNoValidRole() error {
 	return NoValidRole.New("access for this user is not authorized: no valid role," +
 		" please contact your system administrator")
 }
-
-// NewErrNotAuthorized wraps NotAuthorized into an explanation.
-func NewErrNotAuthorized(explanation string) error {
-	return NotAuthorized.CausedBy(explanation)
-}
-
-// NewErrNoCredentials wraps NoCredentials into an explanation.
-func NewErrNoCredentials(explanation string) error {
-	return NoCredentials.CausedBy(explanation)
-}
-
-// NewErrInvariantViolation wraps InvariantViolation into an explanation.
-func NewErrInvariantViolation(explanation string) error {
-	return InvariantViolation.CausedBy(explanation)
-}
-
-// NewErrInvalidArgs wraps InvalidArgs into an explanation.
-func NewErrInvalidArgs(explanation string) error {
-	return InvalidArgs.CausedBy(explanation)
-}
diff --git a/pkg/gjson/row.go b/pkg/gjson/row.go
@@ -22,7 +22,7 @@ type RowMapper struct {
 func NewRowMapper(jsonObj interface{}, multiPathExpression string) (*RowMapper, error) {
 	bytes, err := json.Marshal(jsonObj)
 	if err != nil {
-		return nil, errox.NewErrInvariantViolation(err.Error())
+		return nil, errox.InvariantViolation.CausedBy(err.Error())
 	}
 
 	result, err := getResultFromBytes(bytes, multiPathExpression)
@@ -85,7 +85,7 @@ func isJaggedArray(array [][]string) error {
 func getResultFromBytes(bytes []byte, jsonPathExpression string) (gjson.Result, error) {
 	results := gjson.GetManyBytes(bytes, jsonPathExpression)
 	if len(results) != 1 {
-		return gjson.Result{}, errox.NewErrInvariantViolation("expected gjson " +
+		return gjson.Result{}, errox.InvariantViolation.CausedBy("expected gjson " +
 			"results to be exactly 1")
 	}
 
@@ -112,7 +112,7 @@ func getRowsFromColumns(columns [][]string) [][]string {
 
 // jaggedArrayError helper to create an errox.InvariantViolation with an explanation about a jagged array being found
 func jaggedArrayError(maxAmount, violatedAmount, arrayIndex int) error {
-	return errox.NewErrInvariantViolation(fmt.Sprintf("jagged array found: yielded values within "+
+	return errox.InvariantViolation.CausedBy(fmt.Sprintf("jagged array found: yielded values within "+
 		"each array are not matching; expected each array to hold %d elements but found an array with %d elements "+
 		"at array index %d", maxAmount, violatedAmount, arrayIndex+1))
 }
diff --git a/pkg/grpc/authn/basic/manager.go b/pkg/grpc/authn/basic/manager.go
@@ -30,7 +30,7 @@ func (m *Manager) SetHashFile(hashFile *htpasswd.HashFile) {
 // IdentityForCreds returns an identity for the given credentials.
 func (m *Manager) IdentityForCreds(ctx context.Context, username, password string, authProvider authproviders.Provider) (Identity, error) {
 	if !m.hashFile().Check(username, password) {
-		return nil, errox.NewErrNotAuthorized("invalid username and/or password")
+		return nil, errox.NotAuthorized.CausedBy("invalid username and/or password")
 	}
 
 	resolvedRoles, err := m.mapper.FromUserDescriptor(ctx, &permissions.UserDescriptor{
diff --git a/pkg/grpc/authn/interceptor.go b/pkg/grpc/authn/interceptor.go
@@ -28,7 +28,7 @@ func (u contextUpdater) updateContext(ctx context.Context) (context.Context, err
 			log.Warnf("Cannot extract identity: %v", err)
 		}
 		// Ignore id value if error is not nil.
-		return context.WithValue(ctx, identityErrorContextKey{}, errox.NewErrNoCredentials(err.Error())), nil
+		return context.WithValue(ctx, identityErrorContextKey{}, errox.NoCredentials.CausedBy(err.Error())), nil
 	}
 	if id != nil {
 		// Only service identities can have no roles assigned.
diff --git a/pkg/grpc/authz/and/and.go b/pkg/grpc/authz/and/and.go
@@ -20,7 +20,7 @@ func (a *and) Authorized(ctx context.Context, fullMethodName string) error {
 		}
 	}
 	if len(errors) != 0 {
-		return errox.NewErrNotAuthorized(errorhelpers.NewErrorListWithErrors("some authorizer could not authorize this request:", errors).String())
+		return errox.NotAuthorized.CausedBy(errorhelpers.NewErrorListWithErrors("some authorizer could not authorize this request:", errors).String())
 	}
 	return nil
 }
diff --git a/pkg/grpc/authz/idcheck/service_type.go b/pkg/grpc/authz/idcheck/service_type.go
@@ -16,7 +16,7 @@ func (s serviceType) AuthorizeByIdentity(id authn.Identity) error {
 		return errox.NoCredentials
 	}
 	if svc.GetType() != storage.ServiceType(s) {
-		return errox.NewErrNotAuthorized("service source type not allowed")
+		return errox.NotAuthorized.CausedBy("service source type not allowed")
 	}
 	return nil
 }
diff --git a/pkg/grpc/authz/or/or.go b/pkg/grpc/authz/or/or.go
@@ -22,7 +22,7 @@ func (o *or) Authorized(ctx context.Context, fullMethodName string) error {
 		}
 		errors = append(errors, err)
 	}
-	return errox.NewErrNotAuthorized(errorhelpers.NewErrorListWithErrors("no authorizer could authorize this request:", errors).String())
+	return errox.NotAuthorized.CausedBy(errorhelpers.NewErrorListWithErrors("no authorizer could authorize this request:", errors).String())
 }
 
 // Or creates an Authorizer that succeeds if any of the provided Authorizers succeed.
diff --git a/pkg/grpc/authz/user/role.go b/pkg/grpc/authz/user/role.go
@@ -39,5 +39,5 @@ func (p *roleChecker) checkRole(roleNames []string) error {
 		}
 	}
 
-	return errox.NewErrNotAuthorized(fmt.Sprintf("role %q is required", p.roleName))
+	return errox.NotAuthorized.CausedBy(fmt.Sprintf("role %q is required", p.roleName))
 }
diff --git a/pkg/grpc/authz/user/user.go b/pkg/grpc/authz/user/user.go
@@ -70,7 +70,7 @@ func (p *permissionChecker) checkGlobalSACPermissions(ctx context.Context, rootS
 		return err
 	}
 	if !allowed {
-		return errox.NewErrNotAuthorized("scoped access")
+		return errox.NotAuthorized.CausedBy("scoped access")
 	}
 	return nil
 }
@@ -81,7 +81,7 @@ func (p *permissionChecker) checkPermissions(rolePerms map[string]storage.Access
 	}
 	for _, requiredPerm := range p.requiredPermissions {
 		if !evaluateAgainstPermissions(rolePerms, requiredPerm) {
-			return errox.NewErrNotAuthorized(fmt.Sprintf("%q for %q", requiredPerm.Access, requiredPerm.Resource))
+			return errox.NotAuthorized.CausedBy(fmt.Sprintf("%q for %q", requiredPerm.Access, requiredPerm.Resource))
 		}
 	}
 	return nil
diff --git a/pkg/grpc/errors/interceptor_test.go b/pkg/grpc/errors/interceptor_test.go
@@ -221,7 +221,7 @@ func TestPanicOnInvariantViolationStreamInterceptor(t *testing.T) {
 		},
 		"Error is ErrInvariantViolation -> panic": {
 			handler: func(srv interface{}, stream grpc.ServerStream) error {
-				return errox.NewErrInvariantViolation("some explanation")
+				return errox.InvariantViolation.CausedBy("some explanation")
 			},
 			err:    nil,
 			panics: true,
diff --git a/pkg/printers/junit.go b/pkg/printers/junit.go
diff --git a/pkg/registries/ecr/ecr.go b/pkg/registries/ecr/ecr.go
diff --git a/pkg/search/general_query_parser.go b/pkg/search/general_query_parser.go
diff --git a/roxctl/common/flags/opt_bool.go b/roxctl/common/flags/opt_bool.go
diff --git a/roxctl/common/printer/junitprinter_factory.go b/roxctl/common/printer/junitprinter_factory.go
diff --git a/roxctl/common/printer/tabularprinter_factory.go b/roxctl/common/printer/tabularprinter_factory.go
diff --git a/roxctl/completion/completion.go b/roxctl/completion/completion.go
diff --git a/roxctl/deployment/check/check.go b/roxctl/deployment/check/check.go
diff --git a/roxctl/helm/derivelocalvalues/command.go b/roxctl/helm/derivelocalvalues/command.go
diff --git a/roxctl/image/scan/scan.go b/roxctl/image/scan/scan.go
diff --git a/roxctl/pflag/autobool/autobool.go b/roxctl/pflag/autobool/autobool.go
diff --git a/roxctl/scanner/generate/generate.go b/roxctl/scanner/generate/generate.go

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ func (s serviceImpl) GenerateToken(ctx context.Context, req v1.GenerateTokenRe`
`101`	`101`	`return nil, err`
`102`	`102`	`}`
`103`	`103`	`if err := verifyNoPrivilegeEscalation(id.Roles(), roles); err != nil {`
`104`		`- return nil, errox.NewErrNotAuthorized(err.Error())`
	`104`	`+ return nil, errox.NotAuthorized.CausedBy(err.Error())`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`token, metadata, err := s.backend.IssueRoleToken(ctx, req.GetName(), utils.RoleNames(roles))`
Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ func (s *serviceImpl) AuthFuncOverride(ctx context.Context, fullMethodName strin`
`70`	`70`	`// GetAuthProvider retrieves the authProvider based on the id passed`
`71`	`71`	`func (s serviceImpl) GetAuthProvider(_ context.Context, request v1.GetAuthProviderRequest) (*storage.AuthProvider, error) {`
`72`	`72`	`if request.GetId() == "" {`
`73`		`- return nil, errox.NewErrInvalidArgs("auth provider id is required")`
	`73`	`+ return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")`
`74`	`74`	`}`
`75`	`75`	`authProvider := s.registry.GetProvider(request.GetId())`
`76`	`76`	`if authProvider == nil {`
`@@ -158,37 +158,37 @@ func (s serviceImpl) GetAuthProviders(_ context.Context, request v1.GetAuthPro`
`158`	`158`	`func (s serviceImpl) PostAuthProvider(ctx context.Context, request v1.PostAuthProviderRequest) (*storage.AuthProvider, error) {`
`159`	`159`	`providerReq := request.GetProvider()`
`160`	`160`	`if providerReq.GetName() == "" {`
`161`		`- return nil, errox.NewErrInvalidArgs("no auth provider name specified")`
	`161`	`+ return nil, errox.InvalidArgs.CausedBy("no auth provider name specified")`
`162`	`162`	`}`
`163`	`163`	`if providerReq.GetId() != "" {`
`164`		`- return nil, errox.NewErrInvalidArgs("auth provider id must be empty")`
	`164`	`+ return nil, errox.InvalidArgs.CausedBy("auth provider id is not empty")`
`165`	`165`	`}`
`166`	`166`	`if providerReq.GetLoginUrl() != "" {`
`167`		`- return nil, errox.NewErrInvalidArgs("auth provider loginUrl field must be empty")`
	`167`	`+ return nil, errox.InvalidArgs.CausedBy("auth provider loginUrl field is not empty")`
`168`	`168`	`}`
`169`	`169`
`170`	`170`	`provider, err := s.registry.CreateProvider(ctx, authproviders.WithStorageView(providerReq), authproviders.WithValidateCallback(datastore.Singleton()))`
`171`	`171`	`if err != nil {`
`172`		`- return nil, errors.Wrap(errox.NewErrInvalidArgs(err.Error()), "creating auth provider instance")`
	`172`	`+ return nil, errors.Wrap(errox.InvalidArgs.CausedBy(err.Error()), "creating auth provider instance")`
`173`	`173`	`}`
`174`	`174`	`return provider.StorageView(), nil`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`func (s serviceImpl) PutAuthProvider(ctx context.Context, request storage.AuthProvider) (*storage.AuthProvider, error) {`
`178`	`178`	`if request.GetId() == "" {`
`179`		`- return nil, errox.NewErrInvalidArgs("auth provider id must not be empty")`
	`179`	`+ return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")`
`180`	`180`	`}`
`181`	`181`
`182`	`182`	`provider := s.registry.GetProvider(request.GetId())`
`183`	`183`	`if provider == nil {`
`184`		`- return nil, errox.NewErrInvalidArgs(fmt.Sprintf("auth provider with id %q does not exist", request.GetId()))`
	`184`	`+ return nil, errox.InvalidArgs.CausedBy(fmt.Sprintf("auth provider with id %q does not exist", request.GetId()))`
`185`	`185`	`}`
`186`	`186`
`187`	`187`	`// Attempt to merge configs.`
`188`	`188`	`request.Config = provider.MergeConfigInto(request.GetConfig())`
`189`	`189`
`190`	`190`	`if err := s.registry.ValidateProvider(ctx, authproviders.WithStorageView(request)); err != nil {`
`191`		`- return nil, errox.NewErrInvalidArgs(fmt.Sprintf("auth provider validation check failed: %v", err))`
	`191`	`+ return nil, errox.InvalidArgs.CausedBy(fmt.Sprintf("auth provider validation check failed: %v", err))`
`192`	`192`	`}`
`193`	`193`
`194`	`194`	`// This will not log anyone out as the provider was not validated and thus no one has ever logged into it`
`@@ -198,14 +198,14 @@ func (s serviceImpl) PutAuthProvider(ctx context.Context, request storage.Auth`
`198`	`198`
`199`	`199`	`provider, err := s.registry.CreateProvider(ctx, authproviders.WithStorageView(request), authproviders.WithValidateCallback(datastore.Singleton()))`
`200`	`200`	`if err != nil {`
`201`		`- return nil, errors.Wrap(errox.NewErrInvalidArgs(err.Error()), "creating auth provider instance")`
	`201`	`+ return nil, errors.Wrap(errox.InvalidArgs.CausedBy(err.Error()), "creating auth provider instance")`
`202`	`202`	`}`
`203`	`203`	`return provider.StorageView(), nil`
`204`	`204`	`}`
`205`	`205`
`206`	`206`	`func (s serviceImpl) UpdateAuthProvider(ctx context.Context, request v1.UpdateAuthProviderRequest) (*storage.AuthProvider, error) {`
`207`	`207`	`if request.GetId() == "" {`
`208`		`- return nil, errox.NewErrInvalidArgs("auth provider id must not be empty")`
	`208`	`+ return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")`
`209`	`209`	`}`
`210`	`210`
`211`	`211`	`var options []authproviders.ProviderOption`
`@@ -217,15 +217,15 @@ func (s serviceImpl) UpdateAuthProvider(ctx context.Context, request v1.Update`
`217`	`217`	`}`
`218`	`218`	`provider, err := s.registry.UpdateProvider(ctx, request.GetId(), options...)`
`219`	`219`	`if err != nil {`
`220`		`- return nil, errors.Wrap(errox.NewErrInvalidArgs(err.Error()), "updating auth provider")`
	`220`	`+ return nil, errors.Wrap(errox.InvalidArgs.CausedBy(err.Error()), "updating auth provider")`
`221`	`221`	`}`
`222`	`222`	`return provider.StorageView(), nil`
`223`	`223`	`}`
`224`	`224`
`225`	`225`	`// DeleteAuthProvider deletes an auth provider from the system`
`226`	`226`	`func (s serviceImpl) DeleteAuthProvider(ctx context.Context, request v1.ResourceByID) (*v1.Empty, error) {`
`227`	`227`	`if request.GetId() == "" {`
`228`		`- return nil, errox.NewErrInvalidArgs("auth provider id is required")`
	`228`	`+ return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")`
`229`	`229`	`}`
`230`	`230`
`231`	`231`	`// Get auth provider.`
Original file line number	Diff line number	Diff line change
`@@ -34,5 +34,5 @@ func IsSupported(standardID string) bool {`
`34`	`34`
`35`	`35`	`// UnSupportedStandardsErr builds error message for unsupported compliance standards and returns the error`
`36`	`36`	`func UnSupportedStandardsErr(unsupported ...string) error {`
`37`		`- return errox.NewErrInvalidArgs(fmt.Sprintf("unsupported standard(s): %+v. Supported standards are %+v", unsupported, GetSupportedStandards()))`
	`37`	`+ return errox.InvalidArgs.CausedBy(fmt.Sprintf("unsupported standard(s): %+v. Supported standards are %+v", unsupported, GetSupportedStandards()))`
`38`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ func (s serviceImpl) DetectBuildTime(ctx context.Context, req apiV1.BuildDetec`
`126`	`126`	`}`
`127`	`127`	`}`
`128`	`128`	`if image.GetName() == nil {`
`129`		`- return nil, errox.NewErrInvalidArgs("image or image_name must be specified")`
	`129`	`+ return nil, errox.InvalidArgs.CausedBy("image or image_name must be specified")`
`130`	`130`	`}`
`131`	`131`	`// This is a workaround for those who post the full image, but don't fill in fullname`
`132`	`132`	`if name := image.GetName(); name != nil && name.GetFullName() == "" {`
`@@ -288,7 +288,7 @@ func getObjectsFromList(list *coreV1.List) ([]k8sRuntime.Object, []string, error`
`288`	`288`	`// DetectDeployTimeFromYAML runs detection on a deployment.`
`289`	`289`	`func (s serviceImpl) DetectDeployTimeFromYAML(ctx context.Context, req apiV1.DeployYAMLDetectionRequest) (*apiV1.DeployDetectionResponse, error) {`
`290`	`290`	`if req.GetYaml() == "" {`
`291`		`- return nil, errox.NewErrInvalidArgs("yaml field must be specified in detection request")`
	`291`	`+ return nil, errox.InvalidArgs.CausedBy("yaml field must be specified in detection request")`
`292`	`292`	`}`
`293`	`293`
`294`	`294`	`resources, ignoredObjectRefs, err := getObjectsFromYAML(req.GetYaml())`
`@@ -347,7 +347,7 @@ func (s *serviceImpl) populateDeploymentWithClusterInfo(ctx context.Context, clu`
`347`	`347`	`// DetectDeployTime runs detection on a deployment.`
`348`	`348`	`func (s serviceImpl) DetectDeployTime(ctx context.Context, req apiV1.DeployDetectionRequest) (*apiV1.DeployDetectionResponse, error) {`
`349`	`349`	`if req.GetDeployment() == nil {`
`350`		`- return nil, errox.NewErrInvalidArgs("deployment must be passed to deploy time detection")`
	`350`	`+ return nil, errox.InvalidArgs.CausedBy("deployment must be passed to deploy time detection")`
`351`	`351`	`}`
`352`	`352`	`if err := s.populateDeploymentWithClusterInfo(ctx, req.GetClusterId(), req.GetDeployment()); err != nil {`
`353`	`353`	`return nil, err`
Original file line number	Diff line number	Diff line change
`@@ -1075,7 +1075,7 @@ func compileValidateYaml(simulationYaml string) ([]*storage.NetworkPolicy, error`
`1075`	`1075`	`// Check that all resulting policies have namespaces.`
`1076`	`1076`	`for _, policy := range policies {`
`1077`	`1077`	`if policy.GetNamespace() == "" {`
`1078`		`- return nil, errox.NewErrInvalidArgs("yamls tested against must apply to a namespace")`
	`1078`	`+ return nil, errox.InvalidArgs.CausedBy("yamls tested against must apply to a namespace")`
`1079`	`1079`	`}`
`1080`	`1080`	`}`
`1081`	`1081`
Original file line number	Diff line number	Diff line change
`@@ -853,7 +853,7 @@ func (s serviceImpl) PolicyFromSearch(ctx context.Context, request v1.PolicyFr`
`853`	`853`	`func (s serviceImpl) parsePolicy(ctx context.Context, searchString string) (storage.Policy, []search.FieldLabel, bool, error) {`
`854`	`854`	`// Handle empty input query case.`
`855`	`855`	`if len(searchString) == 0 {`
`856`		`- return nil, nil, false, errox.NewErrInvalidArgs("can not generate a policy from an empty query")`
	`856`	`+ return nil, nil, false, errox.InvalidArgs.CausedBy("can not generate a policy from an empty query")`
`857`	`857`	`}`
`858`	`858`	`// Have a filled query, parse it.`
`859`	`859`	`fieldMap, err := getFieldMapFromQueryString(searchString)`
Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ func (s serviceImpl) CreateRole(ctx context.Context, roleRequest v1.CreateRole`
`113`	`113`
`114`	`114`	`// Check role request correctness.`
`115`	`115`	`if role.GetName() != "" && role.GetName() != roleRequest.GetName() {`
`116`		`- return nil, errox.NewErrInvalidArgs("different role names in path and body")`
	`116`	`+ return nil, errox.InvalidArgs.CausedBy("different role names in path and body")`
`117`	`117`	`}`
`118`	`118`	`role.Name = roleRequest.GetName()`
`119`	`119`
`@@ -208,7 +208,7 @@ func (s serviceImpl) ListPermissionSets(ctx context.Context, _ v1.Empty) (*v1.`
`208`	`208`
`209`	`209`	`func (s serviceImpl) PostPermissionSet(ctx context.Context, permissionSet storage.PermissionSet) (*storage.PermissionSet, error) {`
`210`	`210`	`if permissionSet.GetId() != "" {`
`211`		`- return nil, errox.NewErrInvalidArgs("setting id field is not allowed")`
	`211`	`+ return nil, errox.InvalidArgs.CausedBy("setting id field is not allowed")`
`212`	`212`	`}`
`213`	`213`	`permissionSet.Id = rolePkg.GeneratePermissionSetID()`
`214`	`214`
`@@ -274,7 +274,7 @@ func (s serviceImpl) ListSimpleAccessScopes(ctx context.Context, _ v1.Empty) (`
`274`	`274`
`275`	`275`	`func (s serviceImpl) PostSimpleAccessScope(ctx context.Context, scope storage.SimpleAccessScope) (*storage.SimpleAccessScope, error) {`
`276`	`276`	`if scope.GetId() != "" {`
`277`		`- return nil, errox.NewErrInvalidArgs("setting id field is not allowed")`
	`277`	`+ return nil, errox.InvalidArgs.CausedBy("setting id field is not allowed")`
`278`	`278`	`}`
`279`	`279`	`scope.Id = rolePkg.GenerateAccessScopeID()`
`280`	`280`