Add sanction screening service prod#5090
Open
lukaszgryglicki wants to merge 39 commits into
Open
Conversation
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Add SSS client config
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
…rigger Fix the CI
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
Signed-off-by: psrsingh <psr.singh336@gmail.com>
feat(sign): integrate sanctions screening service enforcement
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
…t-failures Fix CI lint test failures
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
…-followup Followup SSS integration
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request introduces a shared Sanctions Screening Service (SSS) client module and wires SSS-based compliance checks into both the Go v2 backend and the legacy backend, including persistence of sanction state/origin and additional enforcement gates across signing and related flows.
Changes:
- Add new shared Go module
cla-sss-baseimplementing an Auth0 client-credentials SSS client plus tests. - Integrate SSS checks into signing and authorization paths (legacy + v2), persisting
is_sanctionedandsanction_originand enforcing the sanction gate in multiple entry points. - Update config loading (SSM) and CI workflows to support the new module and configuration.
Reviewed changes
Copilot reviewed 36 out of 38 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| cla-sss-base/types.go | Adds shared SSS config/request/response types and status/source constants. |
| cla-sss-base/LICENSE | Adds MIT license file for the new shared module. |
| cla-sss-base/go.mod | Introduces standalone Go module for the shared SSS client. |
| cla-sss-base/from_config.go | Adds factory to build an SSS client from shared platform Auth0 credentials. |
| cla-sss-base/from_config_test.go | Tests for config parsing/derivation behavior (Auth0 domain, trimming, disabled cases). |
| cla-sss-base/errors.go | Defines typed error wrappers for SSS API responses and timeouts. |
| cla-sss-base/client.go | Implements the HTTP client, Auth0 token caching, and org status lookup. |
| cla-sss-base/client_test.go | Adds unit tests covering success/error paths, retries, token caching/refresh behavior. |
| cla-sss-base/auth.go | Adds Auth0 request/response payload structs used by the client. |
| cla-backend-legacy/internal/store/dynamo.go | Adds an SSM client constructor and refactors region resolution helper. |
| cla-backend-legacy/internal/store/companies.go | Adds methods to persist/clear sanctions with origin semantics and conditional updates. |
| cla-backend-legacy/internal/legacy/salesforce/service.go | Adds organization lookup to resolve domains needed for SSS checks. |
| cla-backend-legacy/internal/api/handlers.go | Initializes SSS from SSM + platform creds; adds SSS compliance checks + domain resolution helpers and enforcement in ECLA precheck flow. |
| cla-backend-legacy/go.mod | Adds local replace/require for cla-sss-base and bumps toolchain patch version. |
| cla-backend-go/v2/signatures/handlers.go | Blocks enabling ECLA auto-create for sanctioned companies. |
| cla-backend-go/v2/sign/service.go | Adds SSS compliance screening with caching, persistence, and required/optional behavior; integrates into CCLA request + callback. |
| cla-backend-go/v2/sign/service_sss_test.go | Adds unit tests for domain resolution, error handling, and compliance cache behavior. |
| cla-backend-go/v2/sign/helpers.go | Adds sanction enforcement during ECLA acknowledgement path (hasUserSigned). |
| cla-backend-go/v2/gitlab-activity/service.go | Fixes incorrect error propagation when collecting missing users. |
| cla-backend-go/v2/gitlab_organizations/service.go | Adds sanction gate to prevent activating corporate signature for sanctioned companies. |
| cla-backend-go/swagger/common/company.yaml | Exposes sanctionOrigin in the company API schema. |
| cla-backend-go/sss/types.go | Re-exports SSS types/constants from cla-sss-base for backwards compatibility. |
| cla-backend-go/sss/from_config.go | Adds placeholder file documenting re-exported factory usage. |
| cla-backend-go/sss/errors.go | Re-exports SSS error types from cla-sss-base. |
| cla-backend-go/sss/client.go | Re-exports Client and NewClient from cla-sss-base. |
| cla-backend-go/sss/auth.go | Re-exports NewClientFromPlatformCredentials from cla-sss-base. |
| cla-backend-go/signatures/service.go | Adds sanction gate to block ECLA auto-creation and employee acknowledgment for sanctioned companies. |
| cla-backend-go/go.mod | Adds local replace/require for cla-sss-base and bumps toolchain patch version. |
| cla-backend-go/config/ssm.go | Loads optional SSS config from SSM (leniently) and adds helper functions. |
| cla-backend-go/config/config.go | Adds SSS config struct to overall config model. |
| cla-backend-go/company/repository.go | Adds repo methods to persist/clear sanctions with origin semantics and conditional updates. |
| cla-backend-go/company/projections.go | Adds sanction_origin to DynamoDB projection. |
| cla-backend-go/company/models.go | Adds SanctionOrigin field mapping to/from DynamoDB and swagger model. |
| cla-backend-go/company/mocks/mock_repo.go | Updates repository mocks for new sanction persistence methods. |
| cla-backend-go/cmd/server.go | Initializes SSS client from config and passes into sign service. |
| cla-backend-go/cmd/s3_upload/main.go | Updates sign service constructor call signature to include SSS args. |
| .github/workflows/deploy-dev.yml | Changes deploy-dev concurrency behavior (do not cancel in-progress runs). |
| .github/workflows/build-pr.yml | Adds build/test/lint steps for the new cla-sss-base module. |
Files not reviewed (1)
- cla-backend-go/company/mocks/mock_repo.go: Generated file
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Member
Author
|
Needs #5091 to be approved & merged first. |
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
mlehotskylf
previously approved these changes
Jun 17, 2026
Two more SSS checks updates
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Fix SSS updates in optional mode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Lukasz Gryglicki lgryglicki@cncf.io
Assisted by OpenAI
Assisted by GitHub Copilot
Assisted by Claude