Add SSS enabled/disabled switch in EasyCLA#5104
Conversation
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
🚧 Files skipped from review as they are similar to previous changes (3)
WalkthroughAdds an ChangesSSS Enabled Kill Switch
Estimated code review effort: 3 (Moderate) | ~25 minutes 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cla-backend-go/cmd/server.go`:
- Around line 458-468: Restore the blank-config guard in server startup before
calling sss.NewClientFromPlatformCredentials so empty SSS settings are treated
as unconfigured rather than attempted initialization. In the startup flow around
sssEnabled/sssRequired and sssClient, check the SSS config fields first and skip
client creation when BaseURL or Audience are blank, leaving sssClient nil for
optional/disabled setups. Keep the existing fatal/warn handling only for actual
client निर्माण failures, not for missing configuration.
In `@cla-backend-legacy/internal/api/handlers.go`:
- Around line 284-290: The boolean parsing in getOptionalSSMBoolDefault
currently treats any non-"true" SSM value as false, which can silently disable
SSS on typos. Update this helper to explicitly accept only valid boolean strings
(for example true/false) and handle anything else by returning the safe default
or failing closed. Keep the change localized to getOptionalSSMBoolDefault and
its call path from getOptionalSSMString so malformed cla-sss-enabled-<stage>
values do not bypass sanctions screening.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 38ba04a5-8183-4a95-ad11-90e4c9fb0fbe
📒 Files selected for processing (6)
cla-backend-go/cmd/s3_upload/main.gocla-backend-go/cmd/server.gocla-backend-go/config/config.gocla-backend-go/config/ssm.gocla-backend-go/v2/sign/service.gocla-backend-legacy/internal/api/handlers.go
There was a problem hiding this comment.
Pull request overview
This PR adds a master enable/disable "kill switch" for the Sanctions Screening Service (SSS) in EasyCLA, controlled by a new cla-sss-enabled-{stage} SSM parameter that defaults to true so a not-yet-provisioned key never silently disables screening. When disabled, checkCompanyCompliance skips the live SSS call (after the manual/admin block short-circuit) and returns non-blocking. The change is mirrored across the Go backend (cla-backend-go) and the legacy backend (cla-backend-legacy).
Changes:
- Add
SSS.Enabledconfig field plus agetOptionalSSMBoolDefaulthelper (defaults to a caller-supplied value) in both backends. - Thread
sssEnabledthrough the v2 sign service constructor and its call sites, and add an early skip incheckCompanyCompliancewhen disabled. - Gate the "required SSS" fatal startup checks on
sssEnabledso the kill switch also relaxes startup enforcement.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| cla-backend-go/config/config.go | Adds Enabled field to the SSS config struct with documentation of the kill-switch semantics. |
| cla-backend-go/config/ssm.go | Loads cla-sss-enabled-{stage} (default true) via a new getOptionalSSMBoolDefault helper. |
| cla-backend-go/cmd/server.go | Reads SSS.Enabled, gates fatal SSS checks on it, and passes it to sign.NewService. |
| cla-backend-go/cmd/s3_upload/main.go | Updates the sign.NewService call to pass the new sssEnabled argument (false). |
| cla-backend-go/v2/sign/service.go | Adds sssEnabled to the service, constructor, and an early skip in checkCompanyCompliance. |
| cla-backend-legacy/internal/api/handlers.go | Mirrors the enabled flag, SSM default helper, startup gating, and compliance skip in legacy. |
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io> Assisted by [OpenAI](https://platform.openai.com/) Assisted by [GitHub Copilot](https://github.com/features/copilot) Assisted by [Claude](https://claude.ai)
Signed-off-by: Lukasz Gryglicki lgryglicki@cncf.io
Assisted by OpenAI
Assisted by GitHub Copilot
Assisted by Claude