Followup SSS integration

Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io>

Assisted by [OpenAI](https://platform.openai.com/)

Assisted by [GitHub Copilot](https://github.com/features/copilot)

Assisted by [Claude](https://claude.ai)

Author: lukaszgryglicki

cla-backend-go/company/projections.go

@@ -19,6 +19,7 @@ func buildCompanyProjection() expression.ProjectionBuilder {
 		expression.Name("date_modified"),
 		expression.Name("note"),
 		expression.Name("is_sanctioned"),
+		expression.Name("sanction_origin"),
 		expression.Name("version"),
 	)
 }

cla-backend-go/company/repository.go

@@ -1318,7 +1318,23 @@ func (repo repository) UpdateCompanySanctionStatus(ctx context.Context, companyI
 		UpdateExpression: aws.String(updateExpr),
 	}
 
+	// When SSS sets a block, never overwrite a manual/admin block (is_sanctioned=true
+	// with absent or non-"sss" origin). Only set the SSS flag when the company is
+	// currently unblocked or already SSS-blocked. A ConditionalCheckFailedException
+	// therefore means a manual/admin block is already in place and must be preserved.
+	sssSettingBlock := sanctioned && origin == "sss"
+	if sssSettingBlock {
+		values[":false"] = &dynamodb.AttributeValue{BOOL: aws.Bool(false)}
+		input.ConditionExpression = aws.String("attribute_not_exists(#S) OR #S = :false OR #O = :o")
+	}
+
 	if _, err := repo.dynamoDBClient.UpdateItem(input); err != nil {
+		if sssSettingBlock {
+			if aerr, ok := err.(awserr.Error); ok && aerr.Code() == dynamodb.ErrCodeConditionalCheckFailedException {
+				log.WithFields(f).Debugf("company %s already has a manual/admin sanction block; preserving it and not overwriting origin with sss", companyID)
+				return nil
+			}
+		}
 		log.WithFields(f).Warnf("error updating company sanction status, error: %v", err)
 		return err
 	}

cla-backend-go/signatures/service.go

@@ -833,6 +833,14 @@ func (s service) CreateOrUpdateEmployeeSignature(ctx context.Context, claGroupMo
 		"companyID":      companyModel.CompanyID,
 	}
 
+	// Sanctions gate: never auto-create employee (ECLA) signatures for a sanctioned
+	// company. is_sanctioned is the persisted gate (SSS origin="sss" or a manual/admin
+	// block); both must block ECLA creation (auto-create toggle and approval-list edits).
+	if companyModel.IsSanctioned {
+		log.WithFields(f).Warnf("company %s is sanctioned (origin=%q); refusing to auto-create employee (ECLA) signatures", companyModel.CompanyID, companyModel.SanctionOrigin)
+		return nil, fmt.Errorf("company %s is sanctioned; employee (ECLA) signatures cannot be created", companyModel.CompanyID)
+	}
+
 	// Most of the following business logic is all the same - however, we need to handle the different types of approval lists entries and process them in the same way
 	// We build a list of users to process - this is a list of simple user models that contain the email, GitHub username, and GitLab username - typically only one of the values in the model will be set
 	userList, userErr := s.createOrGetEmployeeModels(ctx, claGroupModel, companyModel, corporateSignatureModel)
@@ -1517,6 +1525,17 @@ func (s service) ProcessEmployeeSignature(ctx context.Context, companyModel *mod
 		"projectID":      claGroupModel.ProjectID,
 		"userID":         user.UserID,
 	}
+
+	// Sanctions gate: a sanctioned company's employees are not authorized. is_sanctioned
+	// is the persisted gate (SSS origin="sss" or a manual/admin block); honor it here so
+	// employee-acknowledgement (ECLA) authorization fails for sanctioned companies on
+	// GitHub PR checks and authorization queries.
+	if companyModel.IsSanctioned {
+		log.WithFields(f).Warnf("company %s is sanctioned (origin=%q); employee acknowledgement not authorized", companyModel.CompanyID, companyModel.SanctionOrigin)
+		notSigned := false
+		return &notSigned, nil
+	}
+
 	var wg sync.WaitGroup
 	resultChannel := make(chan *EmployeeModel)
 	errorChannel := make(chan error)

cla-backend-go/v2/gitlab-activity/service.go

@@ -516,13 +516,21 @@ func (s *service) isSigned(ctx context.Context, userModel *models.User, claGroup
 	}
 
 	companyID := userModel.CompanyID
-	_, err = s.companyRepository.GetCompany(ctx, companyID)
+	companyModel, err := s.companyRepository.GetCompany(ctx, companyID)
 	if err != nil {
 		msg := fmt.Sprintf("can't load company record: %s for user: %s (%s), error: %v", companyID, userModel.Username, userModel.UserID, err)
 		log.WithFields(f).Errorf("%s", msg)
 		return false, fmt.Errorf("%s", msg)
 	}
 
+	// Sanctions gate: a sanctioned company's employees are not authorized. Honor the
+	// persisted is_sanctioned gate (SSS origin="sss" or a manual/admin block) so GitLab
+	// MR checks fail for sanctioned companies.
+	if companyModel != nil && companyModel.IsSanctioned {
+		log.WithFields(f).Warnf("company %s is sanctioned (origin=%q); GitLab contributor not authorized", companyID, companyModel.SanctionOrigin)
+		return false, fmt.Errorf("company %s is sanctioned", companyID)
+	}
+
 	corporateSignature, err := s.signatureRepository.GetCorporateSignature(ctx, claGroupID, companyID, aws.Bool(true), aws.Bool(true))
 	if err != nil {
 		msg := fmt.Sprintf("can't load company signature record for company: %s for user : %s (%s), error : %v", companyID, userModel.Username, userModel.UserID, err)

cla-backend-go/v2/sign/service.go

@@ -1149,6 +1149,17 @@ func (s *service) SignedCorporateCallback(ctx context.Context, payload []byte, c
 		return err
 	}
 
+	// Sanctions gate: re-screen the company before finalizing the CCLA. A company can
+	// become blocked (manual/admin or SSS) between the DocuSign request and this
+	// completion callback; do not finalize a corporate CLA for a sanctioned company.
+	if sanctioned, complianceErr := s.checkCompanyCompliance(ctx, companyModel); complianceErr != nil {
+		log.WithFields(f).WithError(complianceErr).Warnf("company compliance check failed in corporate callback for company %s; not finalizing CCLA", companyID)
+		return complianceErr
+	} else if sanctioned {
+		log.WithFields(f).Warnf("company %s is sanctioned; refusing to finalize corporate CLA in callback", companyID)
+		return fmt.Errorf("company %s is sanctioned; corporate CLA cannot be finalized", companyID)
+	}
+
 	// Assumme only one signature per company/project
 	var signatureID string
 	var signature *v1Models.Signature
@@ -2970,12 +2981,19 @@ func (s *service) GetUserActiveSignature(ctx context.Context, userID string) (*m
 // checkCompanyCompliance queries the Sanctions Screening Service for the given company
 // and persists the result. Returns (sanctioned, error).
 func (s *service) checkCompanyCompliance(ctx context.Context, company *v1Models.Company) (bool, error) {
+	sssMode := "optional"
+	if s.sssRequired {
+		sssMode = "required"
+	}
 	f := logrus.Fields{
-		"functionName":   "sign.checkCompanyCompliance",
-		utils.XREQUESTID: ctx.Value(utils.XREQUESTID),
-		"companyID":      company.CompanyID,
-		"companyName":    company.CompanyName,
+		"functionName":      "sign.checkCompanyCompliance",
+		utils.XREQUESTID:    ctx.Value(utils.XREQUESTID),
+		"companyID":         company.CompanyID,
+		"companyName":       company.CompanyName,
+		"companyExternalID": company.CompanyExternalID,
+		"sssMode":           sssMode,
 	}
+	log.WithFields(f).Debugf("starting company sanctions screening (mode=%s)", sssMode)
 
 	// Short-circuit for manually/admin-set blocks (sanction_origin != "sss" or no origin).
 	// SSS-origin blocks fall through so a now-clean result can clear them.
@@ -3052,10 +3070,12 @@ func (s *service) checkCompanyCompliance(ctx context.Context, company *v1Models.
 		req.SFDCID = company.CompanyExternalID
 	}
 
+	log.WithFields(f).Infof("calling SSS GetOrganizationStatus: domain=%s, orgName=%s, sfdcID=%q (mode=%s)", req.Domain, req.OrgName, req.SFDCID, sssMode)
 	result, err := s.sssClient.GetOrganizationStatus(ctx, req)
 	if err != nil {
 		return s.handleSSSError(f, company.CompanyID, err)
 	}
+	log.WithFields(f).Infof("SSS GetOrganizationStatus result for company %s: status=%q (domain=%s, mode=%s)", company.CompanyID, result.Status, req.Domain, sssMode)
 
 	sanctioned := result.Status == sss.StatusFlagged
 
@@ -3073,9 +3093,16 @@ func (s *service) checkCompanyCompliance(ctx context.Context, company *v1Models.
 		}
 	} else {
 		// Clear only when previously set by SSS; manual blocks are left untouched.
+		// ClearCompanySanctionStatusIfSSS treats a conditional-check failure (manual
+		// block / nothing to clear) as a no-op, so a non-nil error here is a real
+		// persistence failure. In required mode we fail closed rather than allow with a
+		// stale persisted sanction still in place.
 		log.WithFields(f).Debugf("SSS returned clean status for company %s; attempting conditional clear", company.CompanyID)
 		if clearErr := s.companyRepo.ClearCompanySanctionStatusIfSSS(ctx, company.CompanyID); clearErr != nil {
 			log.WithFields(f).WithError(clearErr).Warnf("failed to conditionally clear sanction status for company %s", company.CompanyID)
+			if s.sssRequired {
+				return false, fmt.Errorf("checkCompanyCompliance: SSS returned clean but clearing the persisted sanction failed for company %s: %w", company.CompanyID, clearErr)
+			}
 		}
 	}
 

cla-backend-legacy/internal/api/handlers.go

@@ -8896,6 +8896,12 @@ func (h *Handlers) checkCompanyCompliance(ctx context.Context, company map[strin
 	companyName := getAttrString(company, "company_name")
 	companyExternalID := getAttrString(company, "company_external_id")
 
+	sssMode := "optional"
+	if h.sssRequired {
+		sssMode = "required"
+	}
+	logging.Debugf("starting company sanctions screening for company %s (external_id=%s, mode=%s)", companyID, companyExternalID, sssMode)
+
 	// Short-circuit for manually/admin-set blocks (sanction_origin != "sss" or no origin).
 	// SSS-origin blocks fall through so a now-clean result can clear them.
 	isSanctioned := false
@@ -8959,10 +8965,12 @@ func (h *Handlers) checkCompanyCompliance(ctx context.Context, company map[strin
 		req.SFDCID = companyExternalID
 	}
 
+	logging.Infof("calling SSS GetOrganizationStatus for company %s: domain=%s, orgName=%s, sfdcID=%q (mode=%s)", companyID, req.Domain, req.OrgName, req.SFDCID, sssMode)
 	result, err := h.sssClient.GetOrganizationStatus(ctx, req)
 	if err != nil {
 		return h.handleSSSError(ctx, companyID, err)
 	}
+	logging.Infof("SSS GetOrganizationStatus result for company %s: status=%q (domain=%s, mode=%s)", companyID, result.Status, req.Domain, sssMode)
 
 	sanctioned := result.Status == sss.StatusFlagged
 
@@ -8980,9 +8988,15 @@ func (h *Handlers) checkCompanyCompliance(ctx context.Context, company map[strin
 		}
 	} else {
 		// Clear only when previously set by SSS; manual blocks are left untouched.
+		// ClearCompanySanctionStatusIfSSS treats a conditional-check failure as a no-op,
+		// so a non-nil error here is a real persistence failure. In required mode we fail
+		// closed rather than allow with a stale persisted sanction still in place.
 		logging.Debugf("SSS returned clean status for company %s; attempting conditional clear", companyID)
 		if clearErr := h.companies.ClearCompanySanctionStatusIfSSS(ctx, companyID); clearErr != nil {
 			logging.Warnf("failed to conditionally clear sanction status for company %s: %v", companyID, clearErr)
+			if h.sssRequired {
+				return false, fmt.Errorf("checkCompanyCompliance: SSS returned clean but clearing the persisted sanction failed for company %s: %w", companyID, clearErr)
+			}
 		}
 	}
 

cla-backend-legacy/internal/store/companies.go

@@ -166,16 +166,37 @@ func (s *CompaniesStore) UpdateCompanySanctionStatus(ctx context.Context, compan
 		updateExpr += ", #O = :o"
 	}
 
-	_, err := s.client.UpdateItem(ctx, &dynamodb.UpdateItemInput{
+	input := &dynamodb.UpdateItemInput{
 		TableName: aws.String(s.table),
 		Key: map[string]types.AttributeValue{
 			"company_id": &types.AttributeValueMemberS{Value: companyID},
 		},
 		UpdateExpression:          aws.String(updateExpr),
 		ExpressionAttributeNames:  names,
 		ExpressionAttributeValues: values,
-	})
-	return err
+	}
+
+	// When SSS sets a block, never overwrite a manual/admin block (is_sanctioned=true
+	// with absent or non-"sss" origin). Only set the SSS flag when the company is
+	// currently unblocked or already SSS-blocked; a ConditionalCheckFailedException
+	// means a manual/admin block is already present and must be preserved.
+	sssSettingBlock := sanctioned && origin == "sss"
+	if sssSettingBlock {
+		values[":false"] = &types.AttributeValueMemberBOOL{Value: false}
+		input.ConditionExpression = aws.String("attribute_not_exists(#S) OR #S = :false OR #O = :o")
+	}
+
+	_, err := s.client.UpdateItem(ctx, input)
+	if err != nil {
+		if sssSettingBlock {
+			var condErr *types.ConditionalCheckFailedException
+			if errors.As(err, &condErr) {
+				return nil // Preserve the existing manual/admin block
+			}
+		}
+		return err
+	}
+	return nil
 }
 
 // ClearCompanySanctionStatusIfSSS clears is_sanctioned only when sanction_origin="sss".