stackrox · mtodor · Apr 28, 2022 · Apr 20, 2022 · Apr 20, 2022 · Apr 21, 2022
diff --git a/.golangci.yml b/.golangci.yml
@@ -80,7 +80,7 @@ linters-settings:
   wrapcheck:
     ignoreSigRegexps:
       - utils\.Should
-      - errox\.New.*
+      - errox\..+\.CausedBy(f)?
       - retry\.MakeRetryable
       - policy\.NewErr.*
 

diff --git a/central/apitoken/service/service_impl.go b/central/apitoken/service/service_impl.go
@@ -101,7 +101,7 @@ func (s *serviceImpl) GenerateToken(ctx context.Context, req *v1.GenerateTokenRe
 		return nil, err
 	}
 	if err := verifyNoPrivilegeEscalation(id.Roles(), roles); err != nil {
-		return nil, errox.NewErrNotAuthorized(err.Error())
+		return nil, errox.NotAuthorized.CausedBy(err.Error())
-		return nil, errox.NotAuthorized.CausedBy(err.Error())
+		return nil, errox.NotAuthorized.CausedBy(err)
-		return nil, errox.NotAuthorized.CausedBy(err.Error())
+		return nil, errox.NotAuthorized.CausedBy(err)
 	}
 
 	token, metadata, err := s.backend.IssueRoleToken(ctx, req.GetName(), utils.RoleNames(roles))

diff --git a/central/authprovider/service/service_impl.go b/central/authprovider/service/service_impl.go
@@ -70,7 +70,7 @@ func (s *serviceImpl) AuthFuncOverride(ctx context.Context, fullMethodName strin
 // GetAuthProvider retrieves the authProvider based on the id passed
 func (s *serviceImpl) GetAuthProvider(_ context.Context, request *v1.GetAuthProviderRequest) (*storage.AuthProvider, error) {
 	if request.GetId() == "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id is required")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")
 	}
 	authProvider := s.registry.GetProvider(request.GetId())
 	if authProvider == nil {
@@ -158,37 +158,37 @@ func (s *serviceImpl) GetAuthProviders(_ context.Context, request *v1.GetAuthPro
 func (s *serviceImpl) PostAuthProvider(ctx context.Context, request *v1.PostAuthProviderRequest) (*storage.AuthProvider, error) {
 	providerReq := request.GetProvider()
 	if providerReq.GetName() == "" {
-		return nil, errox.NewErrInvalidArgs("no auth provider name specified")
+		return nil, errox.InvalidArgs.CausedBy("no auth provider name specified")
 	}
 	if providerReq.GetId() != "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id must be empty")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is not empty")
 	}
 	if providerReq.GetLoginUrl() != "" {
-		return nil, errox.NewErrInvalidArgs("auth provider loginUrl field must be empty")
+		return nil, errox.InvalidArgs.CausedBy("auth provider loginUrl field is not empty")
 	}
 
 	provider, err := s.registry.CreateProvider(ctx, authproviders.WithStorageView(providerReq), authproviders.WithValidateCallback(datastore.Singleton()))
 	if err != nil {
-		return nil, errors.Wrap(errox.NewErrInvalidArgs(err.Error()), "creating auth provider instance")
+		return nil, errors.Wrap(errox.InvalidArgs.CausedBy(err.Error()), "creating auth provider instance")
 	}
 	return provider.StorageView(), nil
 }
 
 func (s *serviceImpl) PutAuthProvider(ctx context.Context, request *storage.AuthProvider) (*storage.AuthProvider, error) {
 	if request.GetId() == "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id must not be empty")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")
 	}
 
 	provider := s.registry.GetProvider(request.GetId())
 	if provider == nil {
-		return nil, errox.NewErrInvalidArgs(fmt.Sprintf("auth provider with id %q does not exist", request.GetId()))
+		return nil, errox.InvalidArgs.CausedBy(fmt.Sprintf("auth provider with id %q does not exist", request.GetId()))
 	}
 
 	// Attempt to merge configs.
 	request.Config = provider.MergeConfigInto(request.GetConfig())
 
 	if err := s.registry.ValidateProvider(ctx, authproviders.WithStorageView(request)); err != nil {
-		return nil, errox.NewErrInvalidArgs(fmt.Sprintf("auth provider validation check failed: %v", err))
+		return nil, errox.InvalidArgs.CausedBy(fmt.Sprintf("auth provider validation check failed: %v", err))
 	}
 
 	// This will not log anyone out as the provider was not validated and thus no one has ever logged into it
@@ -198,14 +198,14 @@ func (s *serviceImpl) PutAuthProvider(ctx context.Context, request *storage.Auth
 
 	provider, err := s.registry.CreateProvider(ctx, authproviders.WithStorageView(request), authproviders.WithValidateCallback(datastore.Singleton()))
 	if err != nil {
-		return nil, errors.Wrap(errox.NewErrInvalidArgs(err.Error()), "creating auth provider instance")
+		return nil, errors.Wrap(errox.InvalidArgs.CausedBy(err.Error()), "creating auth provider instance")
 	}
 	return provider.StorageView(), nil
 }
 
 func (s *serviceImpl) UpdateAuthProvider(ctx context.Context, request *v1.UpdateAuthProviderRequest) (*storage.AuthProvider, error) {
 	if request.GetId() == "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id must not be empty")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")
 	}
 
 	var options []authproviders.ProviderOption
@@ -217,15 +217,15 @@ func (s *serviceImpl) UpdateAuthProvider(ctx context.Context, request *v1.Update
 	}
 	provider, err := s.registry.UpdateProvider(ctx, request.GetId(), options...)
 	if err != nil {
-		return nil, errors.Wrap(errox.NewErrInvalidArgs(err.Error()), "updating auth provider")
+		return nil, errors.Wrap(errox.InvalidArgs.CausedBy(err.Error()), "updating auth provider")
 	}
 	return provider.StorageView(), nil
 }
 
 // DeleteAuthProvider deletes an auth provider from the system
 func (s *serviceImpl) DeleteAuthProvider(ctx context.Context, request *v1.ResourceByID) (*v1.Empty, error) {
 	if request.GetId() == "" {
-		return nil, errox.NewErrInvalidArgs("auth provider id is required")
+		return nil, errox.InvalidArgs.CausedBy("auth provider id is empty")
 	}
 
 	// Get auth provider.

diff --git a/central/cluster/datastore/datastore_impl.go b/central/cluster/datastore/datastore_impl.go
@@ -929,7 +929,7 @@ func (ds *datastoreImpl) LookupOrCreateClusterFromConfig(ctx context.Context, cl
 
 func normalizeCluster(cluster *storage.Cluster) error {
 	if cluster == nil {
-		return errox.NewErrInvariantViolation("cannot normalize nil cluster object")
+		return errox.InvariantViolation.CausedBy("cannot normalize nil cluster object")
 	}
 
 	cluster.CentralApiEndpoint = strings.TrimPrefix(cluster.GetCentralApiEndpoint(), "https://")
@@ -947,7 +947,7 @@ func validateInput(cluster *storage.Cluster) error {
 // `cluster.* bool` flags remain untouched.
 func addDefaults(cluster *storage.Cluster) error {
 	if cluster == nil {
-		return errox.NewErrInvariantViolation("cannot enrich nil cluster object")
+		return errox.InvariantViolation.CausedBy("cannot enrich nil cluster object")
 	}
 	// For backwards compatibility reasons, if Collection Method is not set then honor defaults for runtime support
 	if cluster.GetCollectionMethod() == storage.CollectionMethod_UNSET_COLLECTION {

diff --git a/central/compliance/standards/utils.go b/central/compliance/standards/utils.go
@@ -34,5 +34,5 @@ func IsSupported(standardID string) bool {
 
 // UnSupportedStandardsErr builds error message for unsupported compliance standards and returns the error
 func UnSupportedStandardsErr(unsupported ...string) error {
-	return errox.NewErrInvalidArgs(fmt.Sprintf("unsupported standard(s): %+v. Supported standards are %+v", unsupported, GetSupportedStandards()))
+	return errox.InvalidArgs.CausedBy(fmt.Sprintf("unsupported standard(s): %+v. Supported standards are %+v", unsupported, GetSupportedStandards()))
 }
diff --git a/central/detection/service/service_impl.go b/central/detection/service/service_impl.go
@@ -126,7 +126,7 @@ func (s *serviceImpl) DetectBuildTime(ctx context.Context, req *apiV1.BuildDetec
 		}
 	}
 	if image.GetName() == nil {
-		return nil, errox.NewErrInvalidArgs("image or image_name must be specified")
+		return nil, errox.InvalidArgs.CausedBy("image or image_name must be specified")
 	}
 	// This is a workaround for those who post the full image, but don't fill in fullname
 	if name := image.GetName(); name != nil && name.GetFullName() == "" {
@@ -288,7 +288,7 @@ func getObjectsFromList(list *coreV1.List) ([]k8sRuntime.Object, []string, error
 // DetectDeployTimeFromYAML runs detection on a deployment.
 func (s *serviceImpl) DetectDeployTimeFromYAML(ctx context.Context, req *apiV1.DeployYAMLDetectionRequest) (*apiV1.DeployDetectionResponse, error) {
 	if req.GetYaml() == "" {
-		return nil, errox.NewErrInvalidArgs("yaml field must be specified in detection request")
+		return nil, errox.InvalidArgs.CausedBy("yaml field must be specified in detection request")
 	}
 
 	resources, ignoredObjectRefs, err := getObjectsFromYAML(req.GetYaml())
@@ -347,7 +347,7 @@ func (s *serviceImpl) populateDeploymentWithClusterInfo(ctx context.Context, clu
 // DetectDeployTime runs detection on a deployment.
 func (s *serviceImpl) DetectDeployTime(ctx context.Context, req *apiV1.DeployDetectionRequest) (*apiV1.DeployDetectionResponse, error) {
 	if req.GetDeployment() == nil {
-		return nil, errox.NewErrInvalidArgs("deployment must be passed to deploy time detection")
+		return nil, errox.InvalidArgs.CausedBy("deployment must be passed to deploy time detection")
 	}
 	if err := s.populateDeploymentWithClusterInfo(ctx, req.GetClusterId(), req.GetDeployment()); err != nil {
 		return nil, err

diff --git a/central/networkpolicies/service/service_impl.go b/central/networkpolicies/service/service_impl.go
@@ -1075,7 +1075,7 @@ func compileValidateYaml(simulationYaml string) ([]*storage.NetworkPolicy, error
 	// Check that all resulting policies have namespaces.
 	for _, policy := range policies {
 		if policy.GetNamespace() == "" {
-			return nil, errox.NewErrInvalidArgs("yamls tested against must apply to a namespace")
+			return nil, errox.InvalidArgs.CausedBy("yamls tested against must apply to a namespace")
 		}
 	}
 

@@ -853,7 +853,7 @@ func (s *serviceImpl) PolicyFromSearch(ctx context.Context, request *v1.PolicyFr
 func (s *serviceImpl) parsePolicy(ctx context.Context, searchString string) (*storage.Policy, []search.FieldLabel, bool, error) {
 	// Handle empty input query case.
 	if len(searchString) == 0 {
-		return nil, nil, false, errox.NewErrInvalidArgs("can not generate a policy from an empty query")
+		return nil, nil, false, errox.InvalidArgs.CausedBy("can not generate a policy from an empty query")
 	}
 	// Have a filled query, parse it.
 	fieldMap, err := getFieldMapFromQueryString(searchString)

diff --git a/central/role/service/service_impl.go b/central/role/service/service_impl.go
@@ -113,7 +113,7 @@ func (s *serviceImpl) CreateRole(ctx context.Context, roleRequest *v1.CreateRole
 
 	// Check role request correctness.
 	if role.GetName() != "" && role.GetName() != roleRequest.GetName() {
-		return nil, errox.NewErrInvalidArgs("different role names in path and body")
+		return nil, errox.InvalidArgs.CausedBy("different role names in path and body")
 	}
 	role.Name = roleRequest.GetName()
 
@@ -208,7 +208,7 @@ func (s *serviceImpl) ListPermissionSets(ctx context.Context, _ *v1.Empty) (*v1.
 
 func (s *serviceImpl) PostPermissionSet(ctx context.Context, permissionSet *storage.PermissionSet) (*storage.PermissionSet, error) {
 	if permissionSet.GetId() != "" {
-		return nil, errox.NewErrInvalidArgs("setting id field is not allowed")
+		return nil, errox.InvalidArgs.CausedBy("setting id field is not allowed")
 	}
 	permissionSet.Id = rolePkg.GeneratePermissionSetID()
 
@@ -274,7 +274,7 @@ func (s *serviceImpl) ListSimpleAccessScopes(ctx context.Context, _ *v1.Empty) (
 
 func (s *serviceImpl) PostSimpleAccessScope(ctx context.Context, scope *storage.SimpleAccessScope) (*storage.SimpleAccessScope, error) {
 	if scope.GetId() != "" {
-		return nil, errox.NewErrInvalidArgs("setting id field is not allowed")
+		return nil, errox.InvalidArgs.CausedBy("setting id field is not allowed")
 	}
 	scope.Id = rolePkg.GenerateAccessScopeID()
 

diff --git a/central/sensor/service/service_impl.go b/central/sensor/service/service_impl.go
@@ -70,7 +70,7 @@ func (s *serviceImpl) Communicate(server central.SensorService_CommunicateServer
 
 	svc := identity.Service()
 	if svc == nil || svc.GetType() != storage.ServiceType_SENSOR_SERVICE {
-		return errox.NewErrNotAuthorized("only sensor may access this API")
+		return errox.NotAuthorized.CausedBy("only sensor may access this API")
 	}
 
 	sensorHello, sensorSupportsHello, err := receiveSensorHello(server)

diff --git a/central/sensorupgrade/controlservice/service_impl.go b/central/sensorupgrade/controlservice/service_impl.go
@@ -36,12 +36,12 @@ func clusterIDFromCtx(ctx context.Context) (string, error) {
 
 	svc := id.Service()
 	if svc == nil || svc.GetType() != storage.ServiceType_SENSOR_SERVICE {
-		return "", errox.NewErrNotAuthorized("only sensor/upgrader may access this API")
+		return "", errox.NotAuthorized.CausedBy("only sensor/upgrader may access this API")
 	}
 
 	clusterID := svc.GetId()
 	if clusterID == "" {
-		return "", errox.NewErrNotAuthorized("only sensors with a valid cluster ID may access this API")
+		return "", errox.NotAuthorized.CausedBy("only sensors with a valid cluster ID may access this API")
 	}
 	return clusterID, nil
 }

@@ -67,7 +67,7 @@ func (d *datastoreImpl) AddSignatureIntegration(ctx context.Context, integration
 	}
 	integration.Id = GenerateSignatureIntegrationID()
 	if err := ValidateSignatureIntegration(integration); err != nil {
-		return nil, errox.NewErrInvalidArgs(err.Error())
+		return nil, errox.InvalidArgs.CausedBy(err.Error())
 	}
 
 	// Protect against TOCTOU race condition.
@@ -93,7 +93,7 @@ func (d *datastoreImpl) UpdateSignatureIntegration(ctx context.Context, integrat
 		return false, err
 	}
 	if err := ValidateSignatureIntegration(integration); err != nil {
-		return false, errox.NewErrInvalidArgs(err.Error())
+		return false, errox.InvalidArgs.CausedBy(err.Error())
 	}
 
 	// Protect against TOCTOU race condition.

@@ -117,7 +117,7 @@ func (p *providerImpl) GetOrCreateBackend(ctx context.Context) (Backend, error)
 
 	// Backend factories are not guaranteed to survive product upgrades or restarts.
 	if p.backendFactory == nil {
-		return nil, errox.NewErrInvariantViolation(
+		return nil, errox.InvariantViolation.CausedBy(
 			"the backend for this authentication provider cannot be instantiated;" +
 				" this is probably because of a recent upgrade or a configuration change")
 	}

@@ -275,7 +275,7 @@ func (r *registryImpl) providersHTTPHandler(w http.ResponseWriter, req *http.Req
 
 	userInfo := user.GetUserInfo()
 	if userInfo == nil {
-		err := errox.NewErrNotAuthorized("failed to get user info")
+		err := errox.NotAuthorized.CausedBy("failed to get user info")
 		r.error(w, err, typ, clientState, testMode)
 		return
 	}

diff --git a/pkg/errox/errors.go b/pkg/errox/errors.go
@@ -52,23 +52,3 @@ func GenericNoValidRole() error {
 	return NoValidRole.New("access for this user is not authorized: no valid role," +
 		" please contact your system administrator")
 }
-
-// NewErrNotAuthorized wraps NotAuthorized into an explanation.
-func NewErrNotAuthorized(explanation string) error {
-	return NotAuthorized.CausedBy(explanation)
-}
-
-// NewErrNoCredentials wraps NoCredentials into an explanation.
-func NewErrNoCredentials(explanation string) error {
-	return NoCredentials.CausedBy(explanation)
-}
-
-// NewErrInvariantViolation wraps InvariantViolation into an explanation.
-func NewErrInvariantViolation(explanation string) error {
-	return InvariantViolation.CausedBy(explanation)
-}
-
-// NewErrInvalidArgs wraps InvalidArgs into an explanation.
-func NewErrInvalidArgs(explanation string) error {
-	return InvalidArgs.CausedBy(explanation)
-}
diff --git a/pkg/gjson/row.go b/pkg/gjson/row.go
@@ -22,7 +22,7 @@ type RowMapper struct {
 func NewRowMapper(jsonObj interface{}, multiPathExpression string) (*RowMapper, error) {
 	bytes, err := json.Marshal(jsonObj)
 	if err != nil {
-		return nil, errox.NewErrInvariantViolation(err.Error())
+		return nil, errox.InvariantViolation.CausedBy(err.Error())
 	}
 
 	result, err := getResultFromBytes(bytes, multiPathExpression)
@@ -85,7 +85,7 @@ func isJaggedArray(array [][]string) error {
 func getResultFromBytes(bytes []byte, jsonPathExpression string) (gjson.Result, error) {
 	results := gjson.GetManyBytes(bytes, jsonPathExpression)
 	if len(results) != 1 {
-		return gjson.Result{}, errox.NewErrInvariantViolation("expected gjson " +
+		return gjson.Result{}, errox.InvariantViolation.CausedBy("expected gjson " +
 			"results to be exactly 1")
 	}
 
@@ -112,7 +112,7 @@ func getRowsFromColumns(columns [][]string) [][]string {
 
 // jaggedArrayError helper to create an errox.InvariantViolation with an explanation about a jagged array being found
 func jaggedArrayError(maxAmount, violatedAmount, arrayIndex int) error {
-	return errox.NewErrInvariantViolation(fmt.Sprintf("jagged array found: yielded values within "+
+	return errox.InvariantViolation.CausedBy(fmt.Sprintf("jagged array found: yielded values within "+
 		"each array are not matching; expected each array to hold %d elements but found an array with %d elements "+
 		"at array index %d", maxAmount, violatedAmount, arrayIndex+1))
 }

diff --git a/pkg/grpc/authn/basic/manager.go b/pkg/grpc/authn/basic/manager.go
@@ -30,7 +30,7 @@ func (m *Manager) SetHashFile(hashFile *htpasswd.HashFile) {
 // IdentityForCreds returns an identity for the given credentials.
 func (m *Manager) IdentityForCreds(ctx context.Context, username, password string, authProvider authproviders.Provider) (Identity, error) {
 	if !m.hashFile().Check(username, password) {
-		return nil, errox.NewErrNotAuthorized("invalid username and/or password")
+		return nil, errox.NotAuthorized.CausedBy("invalid username and/or password")
 	}
 
 	resolvedRoles, err := m.mapper.FromUserDescriptor(ctx, &permissions.UserDescriptor{

diff --git a/pkg/grpc/authn/interceptor.go b/pkg/grpc/authn/interceptor.go
@@ -28,7 +28,7 @@ func (u contextUpdater) updateContext(ctx context.Context) (context.Context, err
 			log.Warnf("Cannot extract identity: %v", err)
 		}
 		// Ignore id value if error is not nil.
-		return context.WithValue(ctx, identityErrorContextKey{}, errox.NewErrNoCredentials(err.Error())), nil
+		return context.WithValue(ctx, identityErrorContextKey{}, errox.NoCredentials.CausedBy(err.Error())), nil
 	}
 	if id != nil {
 		// Only service identities can have no roles assigned.

diff --git a/pkg/grpc/authz/and/and.go b/pkg/grpc/authz/and/and.go
@@ -20,7 +20,7 @@ func (a *and) Authorized(ctx context.Context, fullMethodName string) error {
 		}
 	}
 	if len(errors) != 0 {
-		return errox.NewErrNotAuthorized(errorhelpers.NewErrorListWithErrors("some authorizer could not authorize this request:", errors).String())
+		return errox.NotAuthorized.CausedBy(errorhelpers.NewErrorListWithErrors("some authorizer could not authorize this request:", errors).String())
 	}
 	return nil
 }

diff --git a/pkg/grpc/authz/idcheck/service_type.go b/pkg/grpc/authz/idcheck/service_type.go
@@ -16,7 +16,7 @@ func (s serviceType) AuthorizeByIdentity(id authn.Identity) error {
 		return errox.NoCredentials
 	}
 	if svc.GetType() != storage.ServiceType(s) {
-		return errox.NewErrNotAuthorized("service source type not allowed")
+		return errox.NotAuthorized.CausedBy("service source type not allowed")
 	}
 	return nil
 }
diff --git a/pkg/grpc/authz/or/or.go b/pkg/grpc/authz/or/or.go
@@ -22,7 +22,7 @@ func (o *or) Authorized(ctx context.Context, fullMethodName string) error {
 		}
 		errors = append(errors, err)
 	}
-	return errox.NewErrNotAuthorized(errorhelpers.NewErrorListWithErrors("no authorizer could authorize this request:", errors).String())
+	return errox.NotAuthorized.CausedBy(errorhelpers.NewErrorListWithErrors("no authorizer could authorize this request:", errors).String())
 }
 
 // Or creates an Authorizer that succeeds if any of the provided Authorizers succeed.

diff --git a/pkg/grpc/authz/user/role.go b/pkg/grpc/authz/user/role.go
@@ -39,5 +39,5 @@ func (p *roleChecker) checkRole(roleNames []string) error {
 		}
 	}
 
-	return errox.NewErrNotAuthorized(fmt.Sprintf("role %q is required", p.roleName))
+	return errox.NotAuthorized.CausedBy(fmt.Sprintf("role %q is required", p.roleName))
 }
diff --git a/pkg/grpc/authz/user/user.go b/pkg/grpc/authz/user/user.go
@@ -70,7 +70,7 @@ func (p *permissionChecker) checkGlobalSACPermissions(ctx context.Context, rootS
 		return err
 	}
 	if !allowed {
-		return errox.NewErrNotAuthorized("scoped access")
+		return errox.NotAuthorized.CausedBy("scoped access")
 	}
 	return nil
 }
@@ -81,7 +81,7 @@ func (p *permissionChecker) checkPermissions(rolePerms map[string]storage.Access
 	}
 	for _, requiredPerm := range p.requiredPermissions {
 		if !evaluateAgainstPermissions(rolePerms, requiredPerm) {
-			return errox.NewErrNotAuthorized(fmt.Sprintf("%q for %q", requiredPerm.Access, requiredPerm.Resource))
+			return errox.NotAuthorized.CausedBy(fmt.Sprintf("%q for %q", requiredPerm.Access, requiredPerm.Resource))
 		}
 	}
 	return nil

diff --git a/pkg/grpc/errors/interceptor_test.go b/pkg/grpc/errors/interceptor_test.go
@@ -221,7 +221,7 @@ func TestPanicOnInvariantViolationStreamInterceptor(t *testing.T) {
 		},
 		"Error is ErrInvariantViolation -> panic": {
 			handler: func(srv interface{}, stream grpc.ServerStream) error {
-				return errox.NewErrInvariantViolation("some explanation")
+				return errox.InvariantViolation.CausedBy("some explanation")
 			},
 			err:    nil,
 			panics: true,
-Original file line number
+Diff line change
@@ Expand Up / @@ -39,5 +39,5 @@ func (p *roleChecker) checkRole(roleNames []string) error { @@
     		}
     	}
-    	return errox.NewErrNotAuthorized(fmt.Sprintf("role %q is required", p.roleName))
+    	return errox.NotAuthorized.CausedBy(fmt.Sprintf("role %q is required", p.roleName))
     }