Merge pull request #35 from CanDIG/daisieh/var-safety

DIG-1165: fix var safety issue

permissions_engine/authz.rego

@@ -56,11 +56,13 @@ allow {
 
 decode_verify_token_output[issuer] := output {
     some i
+    issuer := data.keys[i].iss
+    cert := data.keys[i].cert
     output := io.jwt.decode_verify(     # Decode and verify in one-step
         input.identity,
         {                         # With the supplied constraints:
-            "cert": data.keys[i].cert,
-            "iss": data.keys[i].iss,
+            "cert": cert,
+            "iss": issuer,
             "aud": "CLIENT_ID"
         }
     )

permissions_engine/idp.rego

@@ -6,11 +6,13 @@ package idp
 #
 decode_verify_token_output[issuer] := output {
     some i
+    issuer := data.keys[i].iss
+    cert := data.keys[i].cert
     output := io.jwt.decode_verify(     # Decode and verify in one-step
         input.token,
         {                         # With the supplied constraints:
-            "cert": data.keys[i].cert,
-            "iss": data.keys[i].iss,
+            "cert": cert,
+            "iss": issuer,
             "aud": "CLIENT_ID"
         }
     )