make sub readable

types.go

@@ -3,8 +3,6 @@ package common
 import (
 	"context"
 	"crypto/rsa"
-	"crypto/sha256"
-	"encoding/hex"
 	"fmt"
 	"strings"
 	"time"
@@ -159,13 +157,17 @@ func (u *User) MakeSub() string {
 	if u == nil {
 		return ""
 	}
-	sub := StringValue(u.Email)
+	prefix := "email"
+	email := StringValue(u.Email)
+	if u.IsServiceAccount() {
+		prefix = "m2m"
+		email = strings.ReplaceAll(email, ServiceAccountPrefix, "")
+	}
+	sub := fmt.Sprintf("%s:%s", prefix, email)
 	if u.Internal != nil && u.Internal.EmployeeID != "" {
-		sub = u.Internal.EmployeeID
+		sub = fmt.Sprintf("eid:%s", u.Internal.EmployeeID)
 	}
-	sub = strings.ToLower(sub)
-	b := sha256.Sum256([]byte(sub))
-	return hex.EncodeToString(b[:])
+	return strings.ToLower(sub)
 }
 
 // ServiceAccountPrefix email domain for service accounts.

types_test.go

@@ -95,3 +95,49 @@ func TestStringEmpty(t *testing.T) {
 	assert.True(t, StringEmpty(""))
 	assert.False(t, StringEmpty("NONEMPTY"))
 }
+
+func TestMakeSub(t *testing.T) {
+	type testCase struct {
+		name string
+		User *User
+		Sub  string
+	}
+
+	testcases := []testCase{
+		{
+			name: "empty",
+			User: nil,
+			Sub:  "",
+		},
+		{
+			name: "human user with email",
+			User: &User{
+				Email: String("[email protected]"),
+			},
+			Sub: "email:[email protected]",
+		},
+		{
+			name: "machine user with email",
+			User: &User{
+				Email: String("my-machine-user@oauth2"),
+			},
+			Sub: "m2m:my-machine-user",
+		},
+		{
+			name: "human user with email internal claim",
+			User: &User{
+				Email: String("my-machine-user@oauth2"),
+				Internal: &Internal{
+					EmployeeID: "X123456",
+				},
+			},
+			Sub: "eid:x123456",
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.Sub, tc.User.MakeSub())
+		})
+	}
+}