feat(continuous_screening): handle whitelisting (#1338)

* feat(continuous_monitoring): update matches status and add in whitelist

* test: Add unit tests for UpdateContinuousScreeningMatchStatus

* feat(continuous_monitoring): add whitelist list in opensanction query

* fix test

* Update usecases/continuous_screening/screening.go

Co-authored-by: Copilot <[email protected]>

* chore: minor change

---------

Co-authored-by: Copilot <[email protected]>

Author: OrriMandarin

api/handle_continuous_screening.go

@@ -201,3 +201,33 @@ func handleListContinuousScreeningsForOrg(uc usecases.Usecases) func(c *gin.Cont
 		)
 	}
 }
+
+func handleUpdateContinuousScreeningMatchStatus(uc usecases.Usecases) func(c *gin.Context) {
+	return func(c *gin.Context) {
+		ctx := c.Request.Context()
+		matchId := c.Param("id")
+
+		var payload dto.ScreeningMatchUpdateDto
+		if presentError(ctx, c, c.ShouldBindJSON(&payload)) {
+			return
+		}
+
+		creds, ok := utils.CredentialsFromCtx(ctx)
+		if !ok {
+			presentError(ctx, c, models.ErrUnknownUser)
+			return
+		}
+		update, err := dto.AdaptScreeningMatchUpdateInputDto(matchId, creds.ActorIdentity.UserId, payload)
+		if presentError(ctx, c, err) {
+			return
+		}
+
+		uc := usecasesWithCreds(ctx, uc).NewContinuousScreeningUsecase()
+		match, err := uc.UpdateContinuousScreeningMatchStatus(ctx, update)
+		if presentError(ctx, c, err) {
+			return
+		}
+
+		c.JSON(http.StatusOK, dto.AdaptContinuousScreeningMatchDto(match))
+	}
+}

api/routes.go

@@ -205,6 +205,8 @@ func addRoutes(r *gin.Engine, conf Configuration, uc usecases.Usecases, auth uti
 	)
 	router.POST("/continuous-screenings/objects", tom,
 		handleInsertContinuousScreeningObject(uc))
+	router.PATCH("/continuous-screenings/matches/:id", tom,
+		handleUpdateContinuousScreeningMatchStatus(uc))
 
 	router.GET("/scenario-publications", tom, handleListScenarioPublications(uc))
 	router.POST("/scenario-publications", tom, handleCreateScenarioPublication(uc))

mocks/case_usecase.go

@@ -23,3 +23,8 @@ func (m *CaseEditor) CreateCase(
 	args := m.Called(ctx, tx, userId, createCaseAttributes, fromEndUser)
 	return args.Get(0).(models.Case), args.Error(1)
 }
+
+func (m *CaseEditor) PerformCaseActionSideEffects(ctx context.Context, tx repositories.Transaction, caseModel models.Case) error {
+	args := m.Called(ctx, tx, caseModel)
+	return args.Error(0)
+}

mocks/continuous_screening_repository.go

@@ -120,6 +120,55 @@ func (m *ContinuousScreeningRepository) ListContinuousScreeningsForOrg(
 	return args.Get(0).([]models.ContinuousScreeningWithMatches), args.Error(1)
 }
 
+func (m *ContinuousScreeningRepository) GetContinuousScreeningWithMatchesById(
+	ctx context.Context,
+	exec repositories.Executor,
+	id uuid.UUID,
+) (models.ContinuousScreeningWithMatches, error) {
+	args := m.Called(ctx, exec, id)
+	return args.Get(0).(models.ContinuousScreeningWithMatches), args.Error(1)
+}
+
+func (m *ContinuousScreeningRepository) GetContinuousScreeningMatch(
+	ctx context.Context,
+	exec repositories.Executor,
+	id uuid.UUID,
+) (models.ContinuousScreeningMatch, error) {
+	args := m.Called(ctx, exec, id)
+	return args.Get(0).(models.ContinuousScreeningMatch), args.Error(1)
+}
+
+func (m *ContinuousScreeningRepository) UpdateContinuousScreeningStatus(
+	ctx context.Context,
+	exec repositories.Executor,
+	id uuid.UUID,
+	newStatus models.ScreeningStatus,
+) (models.ContinuousScreening, error) {
+	args := m.Called(ctx, exec, id, newStatus)
+	return args.Get(0).(models.ContinuousScreening), args.Error(1)
+}
+
+func (m *ContinuousScreeningRepository) UpdateContinuousScreeningMatchStatus(
+	ctx context.Context,
+	exec repositories.Executor,
+	id uuid.UUID,
+	status models.ScreeningMatchStatus,
+	reviewerId *uuid.UUID,
+) (models.ContinuousScreeningMatch, error) {
+	args := m.Called(ctx, exec, id, status, reviewerId)
+	return args.Get(0).(models.ContinuousScreeningMatch), args.Error(1)
+}
+
+func (m *ContinuousScreeningRepository) SearchScreeningMatchWhitelist(
+	ctx context.Context,
+	exec repositories.Executor,
+	orgId string,
+	counterpartyId, entityId *string,
+) ([]models.ScreeningWhitelist, error) {
+	args := m.Called(ctx, exec, orgId, counterpartyId, entityId)
+	return args.Get(0).([]models.ScreeningWhitelist), args.Error(1)
+}
+
 func (m *ContinuousScreeningRepository) GetInboxById(
 	ctx context.Context,
 	exec repositories.Executor,
@@ -129,6 +178,46 @@ func (m *ContinuousScreeningRepository) GetInboxById(
 	return args.Get(0).(models.Inbox), args.Error(1)
 }
 
+func (m *ContinuousScreeningRepository) ListInboxes(
+	ctx context.Context,
+	exec repositories.Executor,
+	orgId string,
+	withCaseCount bool,
+) ([]models.Inbox, error) {
+	args := m.Called(ctx, exec, orgId, withCaseCount)
+	return args.Get(0).([]models.Inbox), args.Error(1)
+}
+
+func (m *ContinuousScreeningRepository) GetCaseById(
+	ctx context.Context,
+	exec repositories.Executor,
+	caseId string,
+) (models.Case, error) {
+	args := m.Called(ctx, exec, caseId)
+	return args.Get(0).(models.Case), args.Error(1)
+}
+
+func (m *ContinuousScreeningRepository) CreateCaseEvent(
+	ctx context.Context,
+	exec repositories.Executor,
+	createCaseEventAttributes models.CreateCaseEventAttributes,
+) error {
+	args := m.Called(ctx, exec, createCaseEventAttributes)
+	return args.Error(0)
+}
+
+func (m *ContinuousScreeningRepository) AddScreeningMatchWhitelist(
+	ctx context.Context,
+	exec repositories.Executor,
+	orgId string,
+	counterpartyId string,
+	entityId string,
+	reviewerId *models.UserId,
+) error {
+	args := m.Called(ctx, exec, orgId, counterpartyId, entityId, reviewerId)
+	return args.Error(0)
+}
+
 type ContinuousScreeningClientDbRepository struct {
 	mock.Mock
 }

mocks/continuous_screening_usecase.go

@@ -36,11 +36,14 @@ func (m *ContinuousScreeningUsecase) GetIngestedObject(
 
 func (m *ContinuousScreeningUsecase) DoScreening(
 	ctx context.Context,
+	exec repositories.Executor,
 	ingestedObject models.DataModelObject,
 	mapping models.ContinuousScreeningDataModelMapping,
 	config models.ContinuousScreeningConfig,
+	objectType string,
+	objectId string,
 ) (models.ScreeningWithMatches, error) {
-	args := m.Called(ctx, ingestedObject, mapping, config)
+	args := m.Called(ctx, exec, ingestedObject, mapping, config, objectType, objectId)
 	return args.Get(0).(models.ScreeningWithMatches), args.Error(1)
 }
 

mocks/enforce_security.go

@@ -1,6 +1,8 @@
 package mocks
 
 import (
+	"context"
+
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/mock"
 
@@ -222,3 +224,33 @@ func (e *EnforceSecurity) ReadContinuousScreeningHit(hit models.ContinuousScreen
 	args := e.Called(hit)
 	return args.Error(0)
 }
+
+func (e *EnforceSecurity) WriteContinuousScreeningHit(orgId uuid.UUID) error {
+	args := e.Called(orgId)
+	return args.Error(0)
+}
+
+func (e *EnforceSecurity) ReadOrUpdateCase(c models.CaseMetadata, availableInboxIds []uuid.UUID) error {
+	args := e.Called(c, availableInboxIds)
+	return args.Error(0)
+}
+
+func (e *EnforceSecurity) CreateCase(input models.CreateCaseAttributes, availableInboxIds []uuid.UUID) error {
+	args := e.Called(input, availableInboxIds)
+	return args.Error(0)
+}
+
+func (e *EnforceSecurity) ReadWhitelist(ctx context.Context) error {
+	args := e.Called(ctx)
+	return args.Error(0)
+}
+
+func (e *EnforceSecurity) WriteWhitelist(ctx context.Context) error {
+	args := e.Called(ctx)
+	return args.Error(0)
+}
+
+func (e *EnforceSecurity) PerformFreeformSearch(ctx context.Context) error {
+	args := e.Called(ctx)
+	return args.Error(0)
+}

mocks/inboxes_repository.go

@@ -17,68 +17,68 @@ type InboxRepository struct {
 func (r *InboxRepository) ListInboxes(ctx context.Context, exec repositories.Executor,
 	organizationId string, inboxIds []uuid.UUID, withCaseCount bool,
 ) ([]models.Inbox, error) {
-	args := r.Called(exec, organizationId, inboxIds)
+	args := r.Called(ctx, exec, organizationId, inboxIds, withCaseCount)
 	return args.Get(0).([]models.Inbox), args.Error(1)
 }
 
 func (r *InboxRepository) GetInboxById(ctx context.Context, exec repositories.Executor, inboxId uuid.UUID) (models.Inbox, error) {
-	args := r.Called(exec, inboxId)
+	args := r.Called(ctx, exec, inboxId)
 	return args.Get(0).(models.Inbox), args.Error(1)
 }
 
 func (r *InboxRepository) CreateInbox(ctx context.Context, exec repositories.Executor,
 	input models.CreateInboxInput, newInboxId uuid.UUID,
 ) error {
-	args := r.Called(exec, input, newInboxId)
+	args := r.Called(ctx, exec, input, newInboxId)
 	return args.Error(0)
 }
 
 func (r *InboxRepository) UpdateInbox(ctx context.Context, exec repositories.Executor,
 	inboxId uuid.UUID, name *string, escalationInboxId *uuid.UUID, autoAssignEnabled *bool,
 ) error {
-	args := r.Called(exec, inboxId, name, escalationInboxId, autoAssignEnabled)
+	args := r.Called(ctx, exec, inboxId, name, escalationInboxId, autoAssignEnabled)
 	return args.Error(0)
 }
 
 func (r *InboxRepository) SoftDeleteInbox(ctx context.Context, exec repositories.Executor, inboxId uuid.UUID) error {
-	args := r.Called(exec, inboxId)
+	args := r.Called(ctx, exec, inboxId)
 	return args.Error(0)
 }
 
 func (r *InboxRepository) ListOrganizationCases(ctx context.Context, exec repositories.Executor,
 	filters models.CaseFilters, pagination models.PaginationAndSorting,
 ) ([]models.Case, error) {
-	args := r.Called(exec, filters, pagination)
+	args := r.Called(ctx, exec, filters, pagination)
 	return args.Get(0).([]models.Case), args.Error(1)
 }
 
 func (r *InboxRepository) ListInboxUsers(ctx context.Context, exec repositories.Executor,
 	filters models.InboxUserFilterInput,
 ) ([]models.InboxUser, error) {
-	args := r.Called(exec, filters)
+	args := r.Called(ctx, exec, filters)
 	return args.Get(0).([]models.InboxUser), args.Error(1)
 }
 
 func (r *InboxRepository) GetInboxUserById(ctx context.Context, exec repositories.Executor, inboxUserId uuid.UUID) (models.InboxUser, error) {
-	args := r.Called(exec, inboxUserId)
+	args := r.Called(ctx, exec, inboxUserId)
 	return args.Get(0).(models.InboxUser), args.Error(1)
 }
 
 func (r *InboxRepository) CreateInboxUser(ctx context.Context, exec repositories.Executor,
 	input models.CreateInboxUserInput, newInboxUserId uuid.UUID,
 ) error {
-	args := r.Called(exec, input, newInboxUserId)
+	args := r.Called(ctx, exec, input, newInboxUserId)
 	return args.Error(0)
 }
 
 func (r *InboxRepository) UpdateInboxUser(ctx context.Context, exec repositories.Executor,
 	inboxUserId uuid.UUID, role *models.InboxUserRole, autoAssignable *bool,
 ) error {
-	args := r.Called(exec, inboxUserId, role, autoAssignable)
+	args := r.Called(ctx, exec, inboxUserId, role, autoAssignable)
 	return args.Error(0)
 }
 
 func (r *InboxRepository) DeleteInboxUser(ctx context.Context, exec repositories.Executor, inboxUserId uuid.UUID) error {
-	args := r.Called(exec, inboxUserId)
+	args := r.Called(ctx, exec, inboxUserId)
 	return args.Error(0)
 }

models/opensanctions.go

@@ -39,6 +39,8 @@ type OpenSanctionsQuery struct {
 	InitialQuery       []OpenSanctionsCheckQuery
 	Config             ScreeningConfig
 	OrgConfig          OrganizationOpenSanctionsConfig
+	// cf: `exclude_entity_ids` in the OpenSanctions query
+	WhitelistedEntityIds []string
 }
 
 type OpenSanctionsCheckQuery struct {

models/permission.go

@@ -62,6 +62,7 @@ const (
 	CONTINUOUS_SCREENING_CONFIG_READ
 	CONTINUOUS_SCREENING_CONFIG_WRITE
 	CONTINUOUS_SCREENING_HIT_READ
+	CONTINUOUS_SCREENING_HIT_WRITE
 	CONTINUOUS_SCREENING_OBJECT_WRITE
 	ANNOTATION_DELETE
 )
@@ -123,6 +124,7 @@ func (r Permission) String() (string, error) {
 		"CONTINUOUS_SCREENING_CONFIG_READ",
 		"CONTINUOUS_SCREENING_CONFIG_WRITE",
 		"CONTINUOUS_SCREENING_HIT_READ",
+		"CONTINUOUS_SCREENING_HIT_WRITE",
 		"CONTINUOUS_SCREENING_OBJECT_WRITE",
 		"ANNOTATION_DELETE",
 	}

models/role_permission.go

@@ -19,6 +19,7 @@ var VIEWER_PERMISSIONS = []Permission{
 	CONTINUOUS_SCREENING_CONFIG_READ,
 	CONTINUOUS_SCREENING_CONFIG_WRITE,
 	CONTINUOUS_SCREENING_HIT_READ,
+	CONTINUOUS_SCREENING_HIT_WRITE,
 	CONTINUOUS_SCREENING_OBJECT_WRITE,
 }
 
@@ -71,6 +72,7 @@ var ROLES_PERMISSIOMS = map[Role][]Permission{
 		CONTINUOUS_SCREENING_CONFIG_READ,
 		CONTINUOUS_SCREENING_CONFIG_WRITE,
 		CONTINUOUS_SCREENING_HIT_READ,
+		CONTINUOUS_SCREENING_HIT_WRITE,
 		CONTINUOUS_SCREENING_OBJECT_WRITE,
 	},
 	TRANSFER_CHECK_API_CLIENT: {