Merge pull request #5090 from linuxfoundation/dev

Add sanction screening service prod

Author: lukaszgryglicki

.github/workflows/build-pr.yml

@@ -111,3 +111,22 @@ jobs:
       - name: Go Lint CLA Legacy Backend
         working-directory: cla-backend-legacy
         run: make lint
+
+      - name: Go Setup CLA SSS Base
+        working-directory: cla-sss-base
+        run: |
+          go mod tidy
+
+      - name: Go Build CLA SSS Base
+        working-directory: cla-sss-base
+        run: go build ./...
+
+      - name: Go Test CLA SSS Base
+        working-directory: cla-sss-base
+        run: go test ./...
+
+      - name: Go Lint CLA SSS Base
+        working-directory: cla-sss-base
+        run: |
+          go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.64.8
+          golangci-lint run ./...

.github/workflows/deploy-dev.yml

@@ -25,7 +25,7 @@ env:
 
 concurrency:
   group: deploy-dev
-  cancel-in-progress: true
+  cancel-in-progress: false
 
 jobs:
   build-deploy-dev:

cla-backend-go/cmd/s3_upload/main.go

@@ -57,7 +57,7 @@ func init() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	signService = sign.NewService("", "", companyRepo, nil, nil, nil, nil, configFile.DocuSignPrivateKey, nil, nil, nil, nil, githubOrgService, nil, "", "", nil, nil, nil, nil, nil)
+	signService = sign.NewService("", "", companyRepo, nil, nil, nil, nil, configFile.DocuSignPrivateKey, nil, nil, nil, nil, githubOrgService, nil, "", "", nil, nil, nil, nil, nil, nil, false)
 	// projectRepo = repository.NewRepository(awsSession, stage, nil, nil, nil)
 	utils.SetS3Storage(awsSession, configFile.SignatureFilesBucket)
 }

cla-backend-go/cmd/server.go

@@ -83,6 +83,7 @@ import (
 
 	"github.com/linuxfoundation/easycla/cla-backend-go/api_logs"
 	"github.com/linuxfoundation/easycla/cla-backend-go/signatures"
+	"github.com/linuxfoundation/easycla/cla-backend-go/sss"
 	"github.com/linuxfoundation/easycla/cla-backend-go/telemetry"
 	v2Signatures "github.com/linuxfoundation/easycla/cla-backend-go/v2/signatures"
 
@@ -448,7 +449,24 @@ func server(localMode bool) http.Handler {
 	v2GithubActivityService := v2GithubActivity.NewService(gitV1Repository, githubOrganizationsRepo, eventsService, autoEnableService, emailService)
 
 	v2ClaGroupService := cla_groups.NewService(v1ProjectService, templateService, v1ProjectClaGroupRepo, v1ClaManagerService, v1SignaturesService, metricsRepo, gerritService, v1RepositoriesService, eventsService)
-	v2SignService := sign.NewService(configFile.ClaAPIV4Base, configFile.ClaV1ApiURL, v1CompanyRepo, v1CLAGroupRepo, v1ProjectClaGroupRepo, v1CompanyService, v2ClaGroupService, configFile.DocuSignPrivateKey, usersService, v1SignaturesService, storeRepository, v1RepositoriesService, githubOrganizationsService, gitlabOrganizationsService, configFile.CLALandingPage, configFile.CLALogoURL, emailService, eventsService, gitlabActivityService, gitlabApp, gerritService)
+
+	// Initialize SSS (Sanctions Screening Service) client if configured.
+	// The sssRequired flag is controlled by the cla-sss-required-{stage} SSM parameter.
+	sssRequired := configFile.SSS.Required
+	var sssClient *sss.Client
+	sssClient, err = sss.NewClientFromPlatformCredentials(configFile.SSS.BaseURL, configFile.SSS.Audience, configFile.Auth0Platform.URL, configFile.Auth0Platform.ClientID, configFile.Auth0Platform.ClientSecret)
+	if err != nil {
+		if sssRequired {
+			log.WithFields(f).WithError(err).Fatal("failed to initialize required SSS client")
+		}
+		log.WithFields(f).WithError(err).Warn("failed to initialize optional SSS client, screening will be unavailable")
+		sssClient = nil
+	}
+	if sssRequired && sssClient == nil {
+		log.WithFields(f).Fatal("SSS is required but not configured")
+	}
+
+	v2SignService := sign.NewService(configFile.ClaAPIV4Base, configFile.ClaV1ApiURL, v1CompanyRepo, v1CLAGroupRepo, v1ProjectClaGroupRepo, v1CompanyService, v2ClaGroupService, configFile.DocuSignPrivateKey, usersService, v1SignaturesService, storeRepository, v1RepositoriesService, githubOrganizationsService, gitlabOrganizationsService, configFile.CLALandingPage, configFile.CLALogoURL, emailService, eventsService, gitlabActivityService, gitlabApp, gerritService, sssClient, sssRequired)
 
 	sessionStore, err := dynastore.New(dynastore.Path("/"), dynastore.HTTPOnly(), dynastore.TableName(configFile.SessionStoreTableName), dynastore.DynamoDB(dynamodb.New(awsSession)))
 	if err != nil {

cla-backend-go/company/mocks/mock_repo.go

@@ -25,6 +25,7 @@ type DBModel struct {
 	Updated           string   `dynamodbav:"date_modified" json:"date_modified"`
 	Note              string   `dynamodbav:"note" json:"note"`
 	IsSanctioned      bool     `dynamodbav:"is_sanctioned" json:"is_sanctioned"`
+	SanctionOrigin    string   `dynamodbav:"sanction_origin" json:"sanction_origin,omitempty"`
 	Version           string   `dynamodbav:"version" json:"version"`
 }
 
@@ -87,6 +88,7 @@ func (dbCompanyModel *DBModel) toModel() (*models.Company, error) {
 		Updated:           strfmt.DateTime(updateDateTime),
 		Note:              dbCompanyModel.Note,
 		IsSanctioned:      dbCompanyModel.IsSanctioned,
+		SanctionOrigin:    dbCompanyModel.SanctionOrigin,
 		Version:           dbCompanyModel.Version,
 	}, nil
 }
@@ -148,6 +150,7 @@ func toSwaggerModel(dbCompanyModel *DBModel) (*models.Company, error) {
 		CompanyName:       dbCompanyModel.CompanyName,
 		SigningEntityName: dbCompanyModel.SigningEntityName,
 		IsSanctioned:      dbCompanyModel.IsSanctioned,
+		SanctionOrigin:    dbCompanyModel.SanctionOrigin,
 		CompanyExternalID: dbCompanyModel.CompanyExternalID,
 		CompanyManagerID:  dbCompanyModel.CompanyManagerID,
 		Created:           strfmt.DateTime(createdDateTime),

cla-backend-go/company/models.go

@@ -19,6 +19,7 @@ func buildCompanyProjection() expression.ProjectionBuilder {
 		expression.Name("date_modified"),
 		expression.Name("note"),
 		expression.Name("is_sanctioned"),
+		expression.Name("sanction_origin"),
 		expression.Name("version"),
 	)
 }

cla-backend-go/company/projections.go

@@ -21,6 +21,7 @@ import (
 	log "github.com/linuxfoundation/easycla/cla-backend-go/logging"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/dynamodb"
 	"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
@@ -53,6 +54,8 @@ type IRepository interface { //nolint
 	ApproveCompanyAccessRequest(ctx context.Context, companyInviteID string) error
 	RejectCompanyAccessRequest(ctx context.Context, companyInviteID string) error
 	UpdateCompanyAccessList(ctx context.Context, companyID string, companyACL []string) error
+	UpdateCompanySanctionStatus(ctx context.Context, companyID string, sanctioned bool, origin string) error
+	ClearCompanySanctionStatusIfSSS(ctx context.Context, companyID string) (bool, error)
 	IsCCLAEnabledForCompany(ctx context.Context, companyID string) (bool, error)
 }
 
@@ -1276,7 +1279,119 @@ func (repo repository) UpdateCompanyAccessList(ctx context.Context, companyID st
 	return nil
 }
 
-// CreateCompany creates a new company record
+// sanctionOriginSSS is the sanction_origin value written by the Sanctions Screening Service.
+const sanctionOriginSSS = "sss"
+
+// UpdateCompanySanctionStatus sets is_sanctioned and, when origin is non-empty, sanction_origin.
+// Pass origin="sss" when flagging via SSS; pass origin="" for manual admin updates.
+func (repo repository) UpdateCompanySanctionStatus(ctx context.Context, companyID string, sanctioned bool, origin string) error {
+	f := logrus.Fields{
+		"functionName":   "company.repository.UpdateCompanySanctionStatus",
+		utils.XREQUESTID: ctx.Value(utils.XREQUESTID),
+		"companyID":      companyID,
+		"sanctioned":     sanctioned,
+		"origin":         origin,
+	}
+
+	_, now := utils.CurrentTime()
+
+	names := map[string]*string{
+		"#S": aws.String("is_sanctioned"),
+		"#M": aws.String("date_modified"),
+	}
+	values := map[string]*dynamodb.AttributeValue{
+		":s": {BOOL: aws.Bool(sanctioned)},
+		":m": {S: aws.String(now)},
+	}
+	updateExpr := "SET #S = :s, #M = :m"
+
+	if origin != "" {
+		names["#O"] = aws.String("sanction_origin")
+		values[":o"] = &dynamodb.AttributeValue{S: aws.String(origin)}
+		updateExpr += ", #O = :o"
+	} else {
+		// Manual/admin update: remove any stale SSS-set origin so the record becomes a
+		// sticky admin block (origin absent) that SSS will never auto-clear.
+		names["#O"] = aws.String("sanction_origin")
+		updateExpr += " REMOVE #O"
+	}
+
+	input := &dynamodb.UpdateItemInput{
+		ExpressionAttributeNames:  names,
+		ExpressionAttributeValues: values,
+		TableName:                 aws.String(repo.companyTableName),
+		Key: map[string]*dynamodb.AttributeValue{
+			"company_id": {S: aws.String(companyID)},
+		},
+		UpdateExpression: aws.String(updateExpr),
+	}
+
+	// When SSS sets a block, never overwrite a manual/admin block (is_sanctioned=true
+	// with absent or non-"sss" origin). Only set the SSS flag when the company is
+	// currently unblocked or already SSS-blocked. A ConditionalCheckFailedException
+	// therefore means a manual/admin block is already in place and must be preserved.
+	sssSettingBlock := sanctioned && origin == sanctionOriginSSS
+	if sssSettingBlock {
+		values[":false"] = &dynamodb.AttributeValue{BOOL: aws.Bool(false)}
+		input.ConditionExpression = aws.String("attribute_not_exists(#S) OR #S = :false OR #O = :o")
+	}
+
+	if _, err := repo.dynamoDBClient.UpdateItem(input); err != nil {
+		if sssSettingBlock {
+			if aerr, ok := err.(awserr.Error); ok && aerr.Code() == dynamodb.ErrCodeConditionalCheckFailedException {
+				log.WithFields(f).Debugf("company %s already has a manual/admin sanction block; preserving it and not overwriting origin with sss", companyID)
+				return nil
+			}
+		}
+		log.WithFields(f).Warnf("error updating company sanction status, error: %v", err)
+		return err
+	}
+	return nil
+}
+
+// ClearCompanySanctionStatusIfSSS clears is_sanctioned only when sanction_origin="sss".
+// It returns (cleared, err): cleared is true only when the conditional matched and the
+// record was actually cleared; a ConditionalCheckFailedException (manual/absent origin)
+// returns (false, nil) so callers can leave any manual/admin block in place.
+func (repo repository) ClearCompanySanctionStatusIfSSS(ctx context.Context, companyID string) (bool, error) {
+	f := logrus.Fields{
+		"functionName":   "company.repository.ClearCompanySanctionStatusIfSSS",
+		utils.XREQUESTID: ctx.Value(utils.XREQUESTID),
+		"companyID":      companyID,
+	}
+
+	_, now := utils.CurrentTime()
+
+	input := &dynamodb.UpdateItemInput{
+		TableName: aws.String(repo.companyTableName),
+		Key: map[string]*dynamodb.AttributeValue{
+			"company_id": {S: aws.String(companyID)},
+		},
+		UpdateExpression:    aws.String("SET #S = :false, #M = :m REMOVE #O"),
+		ConditionExpression: aws.String("#O = :sss"),
+		ExpressionAttributeNames: map[string]*string{
+			"#S": aws.String("is_sanctioned"),
+			"#M": aws.String("date_modified"),
+			"#O": aws.String("sanction_origin"),
+		},
+		ExpressionAttributeValues: map[string]*dynamodb.AttributeValue{
+			":false": {BOOL: aws.Bool(false)},
+			":m":     {S: aws.String(now)},
+			":sss":   {S: aws.String(sanctionOriginSSS)},
+		},
+	}
+
+	if _, err := repo.dynamoDBClient.UpdateItem(input); err != nil {
+		if aerr, ok := err.(awserr.Error); ok && aerr.Code() == dynamodb.ErrCodeConditionalCheckFailedException {
+			log.WithFields(f).Debugf("sanction_origin != sss for company %s; not auto-clearing (manual/admin block)", companyID)
+			return false, nil
+		}
+		log.WithFields(f).Warnf("error clearing company sanction status: %v", err)
+		return false, err
+	}
+	return true, nil
+}
+
 func (repo repository) CreateCompany(ctx context.Context, in *models.Company) (*models.Company, error) {
 	f := logrus.Fields{
 		"functionName":      "company.repository.CreateCompany",

cla-backend-go/company/repository.go

@@ -98,6 +98,9 @@ type Config struct {
 
 	// DocuSignPrivateKey is the private key for the DocuSign API
 	DocuSignPrivateKey string `json:"docuSignPrivateKey"`
+
+	// SSS holds the Sanctions Screening Service client configuration
+	SSS SSS `json:"sss"`
 }
 
 // Auth0 model
@@ -116,6 +119,32 @@ type Auth0Platform struct {
 	URL          string `json:"url"`
 }
 
+// SSS holds the Sanctions Screening Service client configuration. The SSS
+// integration reuses the shared LFX platform M2M (Auth0Platform) credentials,
+// so only the SSS-specific base URL and audience are configured here.
+//
+// Sanctions screening is required by policy in deployed environments - these
+// values are only loaded leniently (see config/ssm.go) so the SSM parameters
+// can be provisioned before the feature is switched on. Whether a missing
+// configuration is tolerated (no-op) or fatal must be enforced by the caller
+// per stage; it must NOT be silently skipped in dev/staging/prod.
+type SSS struct {
+	// BaseURL is the SSS host root WITHOUT the /api/v1 suffix - the client
+	// appends /api/v1/organizations/status itself (e.g.
+	// https://sanctions-screening.dev.v2.cluster.linuxfound.info)
+	BaseURL string `json:"base_url"`
+	// Audience is the Auth0 resource-server identifier for SSS, including any
+	// trailing slash - it must match the auth0-terraform resource server
+	// identifier exactly (e.g.
+	// https://sanctions-screening.dev.v2.cluster.linuxfound.info/)
+	Audience string `json:"audience"`
+	// Required is a flag controlling whether SSS screening is required or optional.
+	// When true, any SSS errors (unavailable, timeout, config errors, or missing domain)
+	// will block the operation. When false, SSS errors are logged but do not block.
+	// This flag is loaded from the SSM parameter cla-sss-required-{stage}.
+	Required bool `json:"required"`
+}
+
 // Docraptor model
 type Docraptor struct {
 	APIKey   string `json:"apiKey"`