Add SSS enabled/disabled switch to EasyCLA (prod)#5105
Conversation
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Pull request overview
This PR introduces a runtime kill switch (sssEnabled) for the Sanctions Screening Service (SSS), sourced from a new cla-sss-enabled-{stage} SSM parameter that defaults to true. When set to false, the live SSS check in checkCompanyCompliance is skipped (returning "not blocked") in both the Go (cla-backend-go) and legacy (cla-backend-legacy) backends, while manual/admin sanction blocks and persisted is_sanctioned gates elsewhere continue to apply. The switch is applied consistently across config loading, server wiring, service construction, and the compliance-check code paths, with matching test updates.
Changes:
- Added a new
EnabledSSS flag loaded fromcla-sss-enabled-{stage}(defaulttrue) via a newgetOptionalSSMBoolDefaulthelper in both backends, and refactored the existinggetOptionalSSMBoolto delegate to it (now usingstrconv.ParseBool). - Added a kill-switch short-circuit in
checkCompanyCompliance(placed after the manual/admin block short-circuit) and threadedsssEnabledthroughNewService, the server wiring, and thes3_uploadcall site. - Updated existing SSS tests to set
sssEnabled: trueand addedTestCheckCompanyComplianceDisabledSkipsSSScovering the disabled path.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
cla-backend-go/config/config.go |
Adds Enabled field to the SSS config struct with a documenting comment. |
cla-backend-go/config/ssm.go |
Loads cla-sss-enabled with default true; adds getOptionalSSMBoolDefault and refactors getOptionalSSMBool. |
cla-backend-go/cmd/server.go |
Reads sssEnabled from config, guards the required-client fatals with it, and passes it to NewService. |
cla-backend-go/cmd/s3_upload/main.go |
Updates the NewService call with the new sssEnabled (false) argument. |
cla-backend-go/v2/sign/service.go |
Adds sssEnabled to the service struct and NewService signature; skips live SSS check when disabled. |
cla-backend-go/v2/sign/service_sss_test.go |
Sets sssEnabled in existing tests and adds a disabled-path test. |
cla-backend-legacy/internal/api/handlers.go |
Mirrors the Go changes: new sssEnabled field/loading, getOptionalSSMBoolDefault, and kill-switch branch. |
Signed-off-by: Lukasz Gryglicki lgryglicki@cncf.io
Assisted by OpenAI
Assisted by GitHub Copilot
Assisted by Claude