user_key instead of user or email

permissions_engine/authz.rego

@@ -55,10 +55,10 @@ import data.store_token.token as vault_token
 import future.keywords.in
 
 roles = http.send({"method": "get", "url": "VAULT_URL/v1/opa/roles", "headers": {"X-Vault-Token": vault_token}}).body.data.roles
-user := decode_verify_token_output[_][2].CANDIG_USER_KEY        # get user key from the token payload
+user_key := decode_verify_token_output[_][2].CANDIG_USER_KEY        # get user key from the token payload
 
 allow {
-    user in roles.site_admin
+    user_key in roles.site_admin
 }
 
 keys = http.send({"method": "get", "url": "VAULT_URL/v1/opa/data", "headers": {"X-Vault-Token": vault_token}}).body.data.keys

permissions_engine/idp.rego

@@ -29,7 +29,7 @@ valid_token = true {
     decode_verify_token_output[_][0]
 }
 
-user := decode_verify_token_output[_][2].CANDIG_USER_KEY        # get user key from the token payload
+user_key := decode_verify_token_output[_][2].CANDIG_USER_KEY        # get user key from the token payload
 
 #
 # Check trusted_researcher in the token payload
@@ -45,7 +45,5 @@ import future.keywords.in
 
 roles = http.send({"method": "get", "url": "VAULT_URL/v1/opa/roles", "headers": {"X-Vault-Token": token}}).body.data.roles
 site_admin = true {
-    user in roles.site_admin
+    user_key in roles.site_admin
 }
-
-email := decode_verify_token_output[_][2].email        # get email from the token payload

permissions_engine/permissions.rego

@@ -23,7 +23,7 @@ post_input_paths = paths.post
 #
 import data.idp.valid_token
 import data.idp.trusted_researcher
-import data.idp.email
+import data.idp.user_key
 
 #
 # is registered access allowed?
@@ -43,7 +43,7 @@ registered_allowed = access.registered_datasets {
 
 default controlled_allowed = []
 
-controlled_allowed = access.controlled_access_list[email]{
+controlled_allowed = access.controlled_access_list[user_key]{
     valid_token                  # extant, valid token
 }