Followup SSS integration#5087
Merged
Merged
Conversation
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughEnforces sanctions across signature flows, prevents SSS-origin updates from overwriting manual/admin blocks via conditional DynamoDB writes, and strengthens SSS compliance checks and logging with mode-aware fallback behavior. ChangesSanctions enforcement and conditional clearing
Sequence Diagram(s)sequenceDiagram
participant Client
participant SignService
participant SSSClient
participant CompanyStore
participant DynamoDB
Client->>SignService: SignedCorporateCallback / initiate compliance check
SignService->>SSSClient: GetOrganizationStatus(request)
SSSClient-->>SignService: status (sanctioned|clean)
SignService->>CompanyStore: Clear/UpdateCompanySanctionStatus based on status
CompanyStore->>DynamoDB: UpdateItem (conditional or REMOVE sanction_origin)
DynamoDB-->>CompanyStore: Success / ConditionalCheckFailedException
CompanyStore-->>SignService: Result (error or nil)
SignService-->>Client: finalize or abort based on compliance
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR continues the Sanctions Screening Service (SSS) integration by strengthening how sanction state is persisted (including origin tracking), ensuring SSS updates do not overwrite manual/admin blocks, and enforcing sanction gates in additional signing/authorization flows across both legacy and Go backends.
Changes:
- Add conditional DynamoDB updates so SSS-origin blocks cannot overwrite existing manual/admin blocks, and treat conditional-check failures as “preserve existing block.”
- Add additional SSS screening logging (including required vs optional mode) and tighten required-mode behavior when a persisted “clean” result cannot be saved.
- Enforce persisted sanction gates in more runtime paths (DocuSign corporate callback, GitLab MR authorization checks, and employee signature auto-create / authorization checks).
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| cla-backend-legacy/internal/store/companies.go | Adds conditional update logic to prevent SSS from overwriting manual/admin sanctions and preserves existing blocks on conditional failure. |
| cla-backend-legacy/internal/api/handlers.go | Improves SSS screening observability and fails closed in required mode when a persisted “clean” cannot be cleared. |
| cla-backend-go/v2/sign/service.go | Re-screens company sanctions before finalizing corporate CLAs and improves SSS screening logging/required-mode persistence handling. |
| cla-backend-go/v2/gitlab-activity/service.go | Blocks GitLab authorization for users affiliated with sanctioned companies using the persisted sanction gate. |
| cla-backend-go/signatures/service.go | Prevents auto-creating ECLAs for sanctioned companies and ensures ECLA authorization fails for sanctioned companies. |
| cla-backend-go/company/repository.go | Adds conditional DynamoDB update logic mirroring legacy behavior to preserve manual/admin blocks when SSS flags a company. |
| cla-backend-go/company/projections.go | Ensures sanction_origin is included in projected company reads so origin-aware logic can function correctly. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cla-backend-legacy/internal/api/handlers.go`:
- Around line 8995-9000: The optional SSS path can leave a durable
false-positive because when h.companies.ClearCompanySanctionStatusIfSSS(ctx,
companyID) fails and h.sssRequired is false you still proceed while the DB keeps
is_sanctioned=true with sanction_origin="sss", which later pre-SSS fallback
logic will honor; update checkCompanyCompliance so that on optional-mode clear
failures you either retry/persist the clear (e.g., retry
ClearCompanySanctionStatusIfSSS with backoff or enqueue a durable job) before
returning success, or change the pre-SSS fallback to ignore/override DB records
where sanction_origin=="sss" when h.sssRequired==false; locate and modify the
ClearCompanySanctionStatusIfSSS call and the pre-SSS fallback branch in
checkCompanyCompliance to implement one of these fixes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d0d2fd71-a043-4569-ae42-93efd52df86a
📒 Files selected for processing (7)
cla-backend-go/company/projections.gocla-backend-go/company/repository.gocla-backend-go/signatures/service.gocla-backend-go/v2/gitlab-activity/service.gocla-backend-go/v2/sign/service.gocla-backend-legacy/internal/api/handlers.gocla-backend-legacy/internal/store/companies.go
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
cla-backend-legacy/internal/api/handlers.go (3)
5221-5249:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRestrict sticky sanction overrides to privileged callers.
Line 5222 still authorizes any
company_aclmember, and Lines 5246-5249 now turn anis_sanctionededit into a manual/admin-controlled state by deletingsanction_origin. That lets a regular CLA manager clear an SSS block or create a durable manual block throughPUT /v1/company, which is broader than the new "manual/admin" semantics described in this PR.
8940-8947:⚠️ Potential issue | 🟠 Major | ⚡ Quick winGuard the Salesforce dependency before the optional fallback.
Line 8941 unconditionally dereferences
h.salesforce, butNewHandlersexplicitly allows dependencies to be nil when misconfigured. In optional mode that turns "screening unavailable" into a panic instead of the newfalse, nilfallback.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cla-backend-legacy/internal/api/handlers.go` around lines 8940 - 8947, The code unconditionally calls h.salesforce.GetOrganization which can dereference a nil dependency; before calling GetOrganization (in the method containing this block, e.g., checkCompanyCompliance), add a nil check for h.salesforce and handle the optional fallback the same way as when GetOrganization errors: if h.salesforce == nil log a warning referencing companyExternalID and then if h.sssRequired return false with a wrapped error, otherwise return false, nil; only call h.salesforce.GetOrganization after confirming h.salesforce is non-nil.
8908-8918:⚠️ Potential issue | 🟠 MajorBackfill legacy sanction rows that lack
sanction_origin
checkCompanyComplianceshort-circuits withreturn truewhenis_sanctionedis true andsanction_origin != "sss"—including whensanction_originis missing (empty string).ClearCompanySanctionStatusIfSSScan only auto-clear whensanction_origin == "sss", so legacy rows persisted beforesanction_originexisted can never be re-screened/cleared by a future SSS clean result. Ensure a migration/backfill (or an explicit one-time re-screen path) setssanction_origin="sss"for pre-existing SSS-backed sanctions, or adjust the gate to handle missing origin safely.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cla-backend-legacy/internal/api/handlers.go` around lines 8908 - 8918, checkCompanyCompliance currently treats a missing sanction_origin as non-SSS and short-circuits, preventing ClearCompanySanctionStatusIfSSS from ever clearing legacy rows; fix by backfilling legacy sanction rows to set sanction_origin="sss" for any is_sanctioned records that were created by the old SSS flow (preferred), or alternatively change the gate in checkCompanyCompliance to only short-circuit when sanctionOrigin != "" && sanctionOrigin != "sss" so empty origin does not block re-screening; update/migrate data and/or adjust the logic in checkCompanyCompliance (and ensure ClearCompanySanctionStatusIfSSS semantics remain consistent) so pre-existing SSS-backed sanctions can be auto-cleared.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@cla-backend-legacy/internal/api/handlers.go`:
- Around line 8940-8947: The code unconditionally calls
h.salesforce.GetOrganization which can dereference a nil dependency; before
calling GetOrganization (in the method containing this block, e.g.,
checkCompanyCompliance), add a nil check for h.salesforce and handle the
optional fallback the same way as when GetOrganization errors: if h.salesforce
== nil log a warning referencing companyExternalID and then if h.sssRequired
return false with a wrapped error, otherwise return false, nil; only call
h.salesforce.GetOrganization after confirming h.salesforce is non-nil.
- Around line 8908-8918: checkCompanyCompliance currently treats a missing
sanction_origin as non-SSS and short-circuits, preventing
ClearCompanySanctionStatusIfSSS from ever clearing legacy rows; fix by
backfilling legacy sanction rows to set sanction_origin="sss" for any
is_sanctioned records that were created by the old SSS flow (preferred), or
alternatively change the gate in checkCompanyCompliance to only short-circuit
when sanctionOrigin != "" && sanctionOrigin != "sss" so empty origin does not
block re-screening; update/migrate data and/or adjust the logic in
checkCompanyCompliance (and ensure ClearCompanySanctionStatusIfSSS semantics
remain consistent) so pre-existing SSS-backed sanctions can be auto-cleared.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: aaf2a37f-bb70-4f1f-9f0c-45dc5ba40942
📒 Files selected for processing (6)
cla-backend-go/company/repository.gocla-backend-go/v2/gitlab-activity/service.gocla-backend-go/v2/gitlab_organizations/service.gocla-backend-go/v2/signatures/handlers.gocla-backend-legacy/internal/api/handlers.gocla-backend-legacy/internal/store/companies.go
🚧 Files skipped from review as they are similar to previous changes (3)
- cla-backend-go/v2/gitlab-activity/service.go
- cla-backend-legacy/internal/store/companies.go
- cla-backend-go/company/repository.go
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
There was a problem hiding this comment.
♻️ Duplicate comments (1)
cla-backend-legacy/internal/api/handlers.go (1)
8921-8964:⚠️ Potential issue | 🟠 Major | ⚡ Quick winOptional fallbacks still treat stale SSS blocks as authoritative.
This is still the unresolved false-positive path from the earlier review: if
ClearCompanySanctionStatusIfSSSfails once at Lines 9003-9008 in optional mode, the row staysis_sanctioned=truewithsanction_origin="sss", and these new fallback returns will keep blocking later requests whenever live screening is unavailable. Keep the optional-mode fallbacks atreturn false, nil, or explicitly ignore persistedsss-origin blocks here.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cla-backend-legacy/internal/api/handlers.go` around lines 8921 - 8964, The optional-mode fallback is incorrectly honoring persisted SSS-origin blocks and returning isSanctioned (which keeps false-positives blocking); in checkCompanyCompliance update the early-return paths that currently do "return isSanctioned, nil" when h.sssRequired is false (the branches after h.sssClient==nil, missing companyExternalID, failed GetOrganization, nil org, or unresolved domain) to instead treat SSS-origin sanctions as non-blocking in optional mode — either return false, nil directly in these optional fallbacks or explicitly check the persisted sanction origin (e.g., sanction_origin == "sss") and clear/ignore it before returning; ensure this aligns with ClearCompanySanctionStatusIfSSS logic so transient ClearCompanySanctionStatusIfSSS failures don't leave SSS-origin rows blocking future requests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@cla-backend-legacy/internal/api/handlers.go`:
- Around line 8921-8964: The optional-mode fallback is incorrectly honoring
persisted SSS-origin blocks and returning isSanctioned (which keeps
false-positives blocking); in checkCompanyCompliance update the early-return
paths that currently do "return isSanctioned, nil" when h.sssRequired is false
(the branches after h.sssClient==nil, missing companyExternalID, failed
GetOrganization, nil org, or unresolved domain) to instead treat SSS-origin
sanctions as non-blocking in optional mode — either return false, nil directly
in these optional fallbacks or explicitly check the persisted sanction origin
(e.g., sanction_origin == "sss") and clear/ignore it before returning; ensure
this aligns with ClearCompanySanctionStatusIfSSS logic so transient
ClearCompanySanctionStatusIfSSS failures don't leave SSS-origin rows blocking
future requests.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0fc2d9fa-4fd0-4656-b40e-01104f28d7ce
📒 Files selected for processing (2)
cla-backend-go/v2/sign/service.gocla-backend-legacy/internal/api/handlers.go
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
mlehotskylf
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Lukasz Gryglicki lgryglicki@cncf.io
Assisted by OpenAI
Assisted by GitHub Copilot
Assisted by Claude