Add SSS client config

[lukaszgryglicki]

Signed-off-by: Lukasz Gryglicki lgryglicki@cncf.io

Assisted by OpenAI

Assisted by GitHub Copilot

Assisted by Claude

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 90dcb0e3-a00f-4ee0-a03a-f3f4267cc8f3

📥 Commits

Reviewing files that changed from the base of the PR and between 6afba94 and ae01681.

📒 Files selected for processing (3)

• cla-backend-go/config/ssm.go
• cla-backend-go/sss/from_config.go
• cla-backend-go/sss/from_config_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• cla-backend-go/config/ssm.go
• cla-backend-go/sss/from_config.go

---

Walkthrough

Adds SSS support: new SSS config fields in Config, best-effort SSM loading of SSS parameters, and NewClientFromPlatformCredentials which builds an SSS client from platform Auth0 M2M credentials (returns nil,nil to disable when baseURL or audience are blank). Tests added.

Changes

SSS Configuration and Client Integration

Layer / File(s)	Summary
SSS configuration schema cla-backend-go/config/config.go	Config struct gains SSS field, and new SSS type defines BaseURL and Audience fields for Sanctions Screening Service integration settings.
SSM parameter loading for SSS cla-backend-go/config/ssm.go	loadSSMConfig calls new loadOptionalSSSConfig helper that fetches SSS base URL and audience from SSM parameters; missing or unreadable values return empty and log appropriately without failing startup.
SSS client factory and tests cla-backend-go/sss/from_config.go, cla-backend-go/sss/from_config_test.go	NewClientFromPlatformCredentials constructs an SSS client from Auth0 M2M credentials, derives Auth0 domain from token URL, returns (nil, nil) when baseURL or audience are empty, and validates/normalizes credentials. Tests verify disabled behavior, domain derivation (including schemeless inputs), credential validation, and trimming.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• linuxfoundation/easycla#5058: The new NewClientFromPlatformCredentials constructor and Config.SSS wiring directly integrate with the SSS client implementation from that PR, sharing Auth0 token URL and domain normalization behavior.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.45% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add SSS client config' directly and clearly summarizes the main change: adding SSS (Sanctions Screening Service) client configuration support across the codebase.
Description check	✅ Passed	The description includes sign-off and acknowledgments of AI assistance, which is related to the changeset context though minimal in detail.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch unicron-sss-ecla-check

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds first-class configuration support for the Sanctions Screening Service (SSS) in the Go backend, including optional SSM parameter loading and a helper to construct an SSS client using existing Auth0 platform (M2M) credentials.

Changes:

• Introduces config.SSS config model (BaseURL + Auth0 audience) and wires optional SSM lookup for its parameters.
• Adds sss.NewClientFromPlatformCredentials(...) helper to derive the Auth0 domain from the platform token URL and build an SSS client.
• Adds unit tests covering the new helper’s “disabled” behavior and Auth0 domain derivation.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
cla-backend-go/sss/from_config.go	Adds helper to build an SSS client from existing platform/Auth0 credentials.
cla-backend-go/sss/from_config_test.go	Adds unit tests for the new helper.
cla-backend-go/config/ssm.go	Loads SSS SSM parameters leniently (optional) during config load.
cla-backend-go/config/config.go	Adds SSS config struct to the main config model.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.