b/325372861 Split UserId, UserEmail

sources/src/main/java/com/google/solutions/jitaccess/core/UserEmail.java

@@ -0,0 +1,71 @@
+//
+// Copyright 2021 Google LLC
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.google.solutions.jitaccess.core;
+
+import com.google.common.base.Preconditions;
+
+import java.util.Objects;
+
+/**
+ * Primary email address of a user.
+ */
+public class UserEmail implements Comparable<UserEmail> {
+  public final String email;
+
+  public UserEmail(String email) {
+    Preconditions.checkNotNull(email, "email");
+    this.email = email;
+  }
+
+  @Override
+  public String toString() {
+    return this.email;
+  }
+
+  // -------------------------------------------------------------------------
+  // Equality.
+  // -------------------------------------------------------------------------
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+
+    UserEmail userEmail = (UserEmail) o;
+    return email.equals(userEmail.email);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(email);
+  }
+
+  @Override
+  public int compareTo(UserEmail o) {
+    return this.email.compareTo(o.email);
+  }
+}

sources/src/main/java/com/google/solutions/jitaccess/core/UserId.java

@@ -1,5 +1,5 @@
 //
-// Copyright 2021 Google LLC
+// Copyright 2024 Google LLC
 //
 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
@@ -25,30 +25,20 @@
 
 import java.util.Objects;
 
-public class UserId implements Comparable<UserId> {
+/**
+ * Primary email address and unique ID of a user.
+ */
+public class UserId extends UserEmail {
   public final transient String id;
-  public final String email;
 
   public UserId(String id, String email) {
-    Preconditions.checkNotNull(email, "email");
+    super(email);
 
-    this.id = id;
-    this.email = email;
-  }
-
-  public UserId(String email) {
-    this(null, email);
-  }
+    Preconditions.checkNotNull(id, "id");
 
-  @Override
-  public String toString() {
-    return this.email;
+    this.id = id;
   }
 
-  // -------------------------------------------------------------------------
-  // Equality.
-  // -------------------------------------------------------------------------
-
   @Override
   public boolean equals(Object o) {
     if (this == o) {
@@ -59,17 +49,16 @@ public boolean equals(Object o) {
       return false;
     }
 
+    if (!super.equals(o)) {
+      return false;
+    }
+
     UserId userId = (UserId) o;
-    return email.equals(userId.email);
+    return this.id.equals(userId.id);
   }
 
   @Override
   public int hashCode() {
-    return Objects.hash(email);
-  }
-
-  @Override
-  public int compareTo(UserId o) {
-    return this.email.compareTo(o.email);
+    return Objects.hash(super.hashCode(), id);
   }
 }

sources/src/main/java/com/google/solutions/jitaccess/core/catalog/ActivationRequest.java

@@ -22,7 +22,7 @@
 package com.google.solutions.jitaccess.core.catalog;
 
 import com.google.common.base.Preconditions;
-import com.google.solutions.jitaccess.core.UserId;
+import com.google.solutions.jitaccess.core.UserEmail;
 
 import java.time.Duration;
 import java.time.Instant;
@@ -37,13 +37,13 @@ public abstract class ActivationRequest<TEntitlementId extends EntitlementId> {
   private final ActivationId id;
   private final Instant startTime;
   private final Duration duration;
-  private final UserId requestingUser;
+  private final UserEmail requestingUser;
   private final Set<TEntitlementId> entitlements;
   private final String justification;
 
   protected ActivationRequest(
     ActivationId id,
-    UserId requestingUser,
+    UserEmail requestingUser,
     Set<TEntitlementId> entitlements,
     String justification,
     Instant startTime,
@@ -104,7 +104,7 @@ public Instant endTime() {
   /**
    * @return user that requested access.
    */
-  public UserId requestingUser() {
+  public UserEmail requestingUser() {
     return this.requestingUser;
   }
 

sources/src/main/java/com/google/solutions/jitaccess/core/catalog/EntitlementActivator.java

@@ -25,7 +25,7 @@
 import com.google.solutions.jitaccess.core.AccessDeniedException;
 import com.google.solutions.jitaccess.core.AccessException;
 import com.google.solutions.jitaccess.core.AlreadyExistsException;
-import com.google.solutions.jitaccess.core.UserId;
+import com.google.solutions.jitaccess.core.UserEmail;
 
 import java.io.IOException;
 import java.time.Duration;
@@ -54,7 +54,7 @@ protected EntitlementActivator(
    * Create a new request to activate an entitlement that permits self-approval.
    */
   public final JitActivationRequest<TEntitlementId> createJitRequest(
-    UserId requestingUser,
+    UserEmail requestingUser,
     Set<TEntitlementId> entitlements,
     String justification,
     Instant startTime,
@@ -81,9 +81,9 @@ public final JitActivationRequest<TEntitlementId> createJitRequest(
    * multi-party approval.
    */
   public MpaActivationRequest<TEntitlementId> createMpaRequest(
-    UserId requestingUser,
+    UserEmail requestingUser,
     Set<TEntitlementId> entitlements,
-    Set<UserId> reviewers,
+    Set<UserEmail> reviewers,
     String justification,
     Instant startTime,
     Duration duration
@@ -142,7 +142,7 @@ public final Activation<TEntitlementId> activate(
    * Approve another user's request.
    */
   public final Activation<TEntitlementId> approve(
-    UserId approvingUser,
+    UserEmail approvingUser,
     MpaActivationRequest<TEntitlementId> request
   ) throws AccessException, AlreadyExistsException, IOException
   {
@@ -193,7 +193,7 @@ protected abstract void provisionAccess(
    * Apply a request.
    */
   protected abstract void provisionAccess(
-    UserId approvingUser,
+    UserEmail approvingUser,
     MpaActivationRequest<TEntitlementId> request
   ) throws AccessException, AlreadyExistsException, IOException;
 
@@ -211,7 +211,7 @@ protected static class JitRequest<TEntitlementId extends EntitlementId>
     extends JitActivationRequest<TEntitlementId> {
     public JitRequest(
       ActivationId id,
-      UserId requestingUser,
+      UserEmail requestingUser,
       Set<TEntitlementId> entitlements,
       String justification,
       Instant startTime,
@@ -225,9 +225,9 @@ protected static class MpaRequest<TEntitlementId extends EntitlementId>
     extends MpaActivationRequest<TEntitlementId> {
     public MpaRequest(
       ActivationId id,
-      UserId requestingUser,
+      UserEmail requestingUser,
       Set<TEntitlementId> entitlements,
-      Set<UserId> reviewers,
+      Set<UserEmail> reviewers,
       String justification,
       Instant startTime,
       Duration duration

sources/src/main/java/com/google/solutions/jitaccess/core/catalog/EntitlementCatalog.java

@@ -22,7 +22,7 @@
 package com.google.solutions.jitaccess.core.catalog;
 
 import com.google.solutions.jitaccess.core.AccessException;
-import com.google.solutions.jitaccess.core.UserId;
+import com.google.solutions.jitaccess.core.UserEmail;
 
 import java.io.IOException;
 
@@ -41,7 +41,7 @@ void verifyUserCanRequest(
    * Verify if a user is allowed to approve a given request.
    */
   void verifyUserCanApprove(
-    UserId approvingUser,
+    UserEmail approvingUser,
     MpaActivationRequest<TEntitlementId> request
   ) throws AccessException, IOException;
 }

sources/src/main/java/com/google/solutions/jitaccess/core/catalog/JitActivationRequest.java

@@ -21,7 +21,7 @@
 
 package com.google.solutions.jitaccess.core.catalog;
 
-import com.google.solutions.jitaccess.core.UserId;
+import com.google.solutions.jitaccess.core.UserEmail;
 
 import java.time.Duration;
 import java.time.Instant;
@@ -34,7 +34,7 @@ public abstract class JitActivationRequest<TEntitlementId extends EntitlementId>
   extends ActivationRequest<TEntitlementId> {
   protected JitActivationRequest(
     ActivationId id,
-    UserId requestingUser,
+    UserEmail requestingUser,
     Set<TEntitlementId> entitlements,
     String justification,
     Instant startTime,

sources/src/main/java/com/google/solutions/jitaccess/core/catalog/JustificationPolicy.java

@@ -21,7 +21,7 @@
 
 package com.google.solutions.jitaccess.core.catalog;
 
-import com.google.solutions.jitaccess.core.UserId;
+import com.google.solutions.jitaccess.core.UserEmail;
 
 /**
  * Policy for verifying justification messages.
@@ -31,7 +31,7 @@ public interface JustificationPolicy {
    * Check that a justification meets criteria.
    */
   void checkJustification(
-    UserId user,
+    UserEmail user,
     String justification
   ) throws InvalidJustificationException;
 

sources/src/main/java/com/google/solutions/jitaccess/core/catalog/MpaActivationRequest.java

@@ -22,7 +22,7 @@
 package com.google.solutions.jitaccess.core.catalog;
 
 import com.google.common.base.Preconditions;
-import com.google.solutions.jitaccess.core.UserId;
+import com.google.solutions.jitaccess.core.UserEmail;
 
 import java.time.Duration;
 import java.time.Instant;
@@ -34,13 +34,13 @@
  */
 public abstract class MpaActivationRequest<TEntitlementId extends EntitlementId>
   extends ActivationRequest<TEntitlementId> {
-  private final Collection<UserId> reviewers;
+  private final Collection<UserEmail> reviewers;
 
   protected MpaActivationRequest(
     ActivationId id,
-    UserId requestingUser,
+    UserEmail requestingUser,
     Set<TEntitlementId> entitlements,
-    Set<UserId> reviewers,
+    Set<UserEmail> reviewers,
     String justification,
     Instant startTime,
     Duration duration) {
@@ -57,7 +57,7 @@ protected MpaActivationRequest(
     this.reviewers = reviewers;
   }
 
-  public Collection<UserId> reviewers() {
+  public Collection<UserEmail> reviewers() {
     return this.reviewers;
   }
 

sources/src/main/java/com/google/solutions/jitaccess/core/catalog/RegexJustificationPolicy.java

@@ -23,7 +23,7 @@
 
 import com.google.common.base.Preconditions;
 import com.google.common.base.Strings;
-import com.google.solutions.jitaccess.core.UserId;
+import com.google.solutions.jitaccess.core.UserEmail;
 import jakarta.inject.Singleton;
 
 import java.util.regex.Pattern;
@@ -42,7 +42,7 @@ public RegexJustificationPolicy(Options options) {
 
   @Override
   public void checkJustification(
-    UserId user,
+    UserEmail user,
     String justification
   ) throws InvalidJustificationException {
     if (

sources/src/main/java/com/google/solutions/jitaccess/core/catalog/TokenSigner.java

@@ -24,7 +24,7 @@
 import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.base.Preconditions;
 import com.google.solutions.jitaccess.core.AccessException;
-import com.google.solutions.jitaccess.core.UserId;
+import com.google.solutions.jitaccess.core.UserEmail;
 import com.google.solutions.jitaccess.core.clients.IamCredentialsClient;
 import jakarta.inject.Singleton;
 
@@ -128,7 +128,7 @@ public record TokenWithExpiry(
     }
   }
 
-  public record Options(UserId serviceAccount, Duration tokenValidity) {
+  public record Options(UserEmail serviceAccount, Duration tokenValidity) {
     public Options {
       Preconditions.checkNotNull(serviceAccount);
       Preconditions.checkArgument(!tokenValidity.isNegative());