diff --git a/app/api/api.go b/app/api/api.go index f6a78063..92c439d6 100644 --- a/app/api/api.go +++ b/app/api/api.go @@ -389,13 +389,7 @@ func (a *api) start() error { Superuser: true, Auth: iam.UserAuth{ API: iam.UserAuthAPI{ - Userpass: iam.UserAuthPassword{ - Enable: cfg.API.Auth.Enable, - Password: cfg.API.Auth.Password, - }, - Auth0: iam.UserAuthAPIAuth0{ - Enable: cfg.API.Auth.Auth0.Enable, - }, + Auth0: iam.UserAuthAPIAuth0{}, }, Services: iam.UserAuthServices{ Token: []string{ @@ -406,6 +400,10 @@ func (a *api) start() error { }, } + if cfg.API.Auth.Enable { + superuser.Auth.API.Password = cfg.API.Auth.Password + } + if cfg.API.Auth.Auth0.Enable { superuser.Auth.API.Auth0.User = cfg.API.Auth.Auth0.Tenants[0].Users[0] superuser.Auth.API.Auth0.Tenant = iam.Auth0Tenant{ @@ -415,126 +413,6 @@ func (a *api) start() error { } } - // Create policies and users in order to mimic the behaviour before IAM - - policies := []iam.Policy{ - { - Name: "$anon", - Domain: "$none", - Resource: "fs:/**", - Actions: []string{"GET", "HEAD", "OPTIONS"}, - }, - { - Name: "$anon", - Domain: "$none", - Resource: "api:/api", - Actions: []string{"GET", "HEAD", "OPTIONS"}, - }, - { - Name: "$anon", - Domain: "$none", - Resource: "api:/api/v3/widget/process/**", - Actions: []string{"GET", "HEAD", "OPTIONS"}, - }, - } - - users := []iam.User{} - - if !cfg.Storage.Memory.Auth.Enable { - policies = append(policies, iam.Policy{ - Name: "$anon", - Domain: "$none", - Resource: "fs:/memfs/**", - Actions: []string{"ANY"}, - }) - } else { - if cfg.Storage.Memory.Auth.Username != superuser.Name { - users = append(users, iam.User{ - Name: cfg.Storage.Memory.Auth.Username, - Auth: iam.UserAuth{ - Services: iam.UserAuthServices{ - Basic: []iam.UserAuthPassword{ - { - Enable: cfg.Storage.Memory.Auth.Enable, - Password: cfg.Storage.Memory.Auth.Password, - }, - }, - }, - }, - }) - } else { - superuser.Auth.Services.Basic = append(superuser.Auth.Services.Basic, iam.UserAuthPassword{ - Enable: cfg.Storage.Memory.Auth.Enable, - Password: cfg.Storage.Memory.Auth.Password, - }) - } - - policies = append(policies, iam.Policy{ - Name: cfg.Storage.Memory.Auth.Username, - Domain: "$none", - Resource: "fs:/memfs/**", - Actions: []string{"ANY"}, - }) - } - - for _, s := range cfg.Storage.S3 { - if !s.Auth.Enable { - policies = append(policies, iam.Policy{ - Name: "$anon", - Domain: "$none", - Resource: "fs:" + s.Mountpoint + "/**", - Actions: []string{"ANY"}, - }) - } else { - if s.Auth.Username != superuser.Name { - users = append(users, iam.User{ - Name: s.Auth.Username, - Auth: iam.UserAuth{ - Services: iam.UserAuthServices{ - Basic: []iam.UserAuthPassword{ - { - Enable: s.Auth.Enable, - Password: s.Auth.Password, - }, - }, - }, - }, - }) - } else { - superuser.Auth.Services.Basic = append(superuser.Auth.Services.Basic, iam.UserAuthPassword{ - Enable: s.Auth.Enable, - Password: s.Auth.Password, - }) - } - - policies = append(policies, iam.Policy{ - Name: s.Auth.Username, - Domain: "$none", - Resource: "fs:" + s.Mountpoint + "/**", - Actions: []string{"ANY"}, - }) - - } - } - - if cfg.RTMP.Enable && len(cfg.RTMP.Token) == 0 { - policies = append(policies, iam.Policy{ - Name: "$anon", - Domain: "$none", - Resource: "rtmp:/**", - Actions: []string{"ANY"}, - }) - } - - if cfg.SRT.Enable && len(cfg.SRT.Token) == 0 { - policies = append(policies, iam.Policy{ - Name: "$anon", - Domain: "$none", - Resource: "srt:**", - Actions: []string{"ANY"}, - }) - } - fs, err := fs.NewRootedDiskFilesystem(fs.RootedDiskConfig{ Root: filepath.Join(cfg.DB.Dir, "iam"), }) @@ -547,7 +425,7 @@ func (a *api) start() error { secret = cfg.API.Auth.Username + cfg.API.Auth.Password + cfg.API.Auth.JWT.Secret } - iam, err := iam.NewIAM(iam.Config{ + manager, err := iam.NewIAM(iam.Config{ FS: fs, Superuser: superuser, JWTRealm: "datarhei-core", @@ -558,24 +436,111 @@ func (a *api) start() error { return fmt.Errorf("iam: %w", err) } - for _, user := range users { - if _, err := iam.GetIdentity(user.Name); err == nil { - continue + // Check if there are already file created by IAM. If not, create policies + // and users based on the config in order to mimic the behaviour before IAM. + if len(fs.List("/", "/*.json")) == 0 { + policies := []iam.Policy{ + { + Name: "$anon", + Domain: "$none", + Resource: "fs:/**", + Actions: []string{"GET", "HEAD", "OPTIONS"}, + }, + { + Name: "$anon", + Domain: "$none", + Resource: "api:/api", + Actions: []string{"GET", "HEAD", "OPTIONS"}, + }, + { + Name: "$anon", + Domain: "$none", + Resource: "api:/api/v3/widget/process/**", + Actions: []string{"GET", "HEAD", "OPTIONS"}, + }, } - err := iam.CreateIdentity(user) - if err != nil { - return fmt.Errorf("iam: %w", err) + users := map[string]iam.User{} + + if cfg.Storage.Memory.Auth.Enable && cfg.Storage.Memory.Auth.Username != superuser.Name { + users[cfg.Storage.Memory.Auth.Username] = iam.User{ + Name: cfg.Storage.Memory.Auth.Username, + Auth: iam.UserAuth{ + Services: iam.UserAuthServices{ + Basic: []string{cfg.Storage.Memory.Auth.Password}, + }, + }, + } + + policies = append(policies, iam.Policy{ + Name: cfg.Storage.Memory.Auth.Username, + Domain: "$none", + Resource: "fs:/memfs/**", + Actions: []string{"ANY"}, + }) + } + + for _, s := range cfg.Storage.S3 { + if s.Auth.Enable && s.Auth.Username != superuser.Name { + user, ok := users[s.Auth.Username] + if !ok { + users[s.Auth.Username] = iam.User{ + Name: s.Auth.Username, + Auth: iam.UserAuth{ + Services: iam.UserAuthServices{ + Basic: []string{s.Auth.Password}, + }, + }, + } + } else { + user.Auth.Services.Basic = append(user.Auth.Services.Basic, s.Auth.Password) + users[s.Auth.Username] = user + } + + policies = append(policies, iam.Policy{ + Name: s.Auth.Username, + Domain: "$none", + Resource: "fs:" + s.Mountpoint + "/**", + Actions: []string{"ANY"}, + }) + } + } + + if cfg.RTMP.Enable && len(cfg.RTMP.Token) == 0 { + policies = append(policies, iam.Policy{ + Name: "$anon", + Domain: "$none", + Resource: "rtmp:/**", + Actions: []string{"ANY"}, + }) + } + + if cfg.SRT.Enable && len(cfg.SRT.Token) == 0 { + policies = append(policies, iam.Policy{ + Name: "$anon", + Domain: "$none", + Resource: "srt:**", + Actions: []string{"ANY"}, + }) + } + + for _, user := range users { + if _, err := manager.GetIdentity(user.Name); err == nil { + continue + } + + err := manager.CreateIdentity(user) + if err != nil { + return fmt.Errorf("iam: %w", err) + } + } + + for _, policy := range policies { + manager.AddPolicy(policy.Name, policy.Domain, policy.Resource, policy.Actions) } } - iam.SaveIdentities() - - for _, policy := range policies { - iam.AddPolicy(policy.Name, policy.Domain, policy.Resource, policy.Actions) - } - - a.iam = iam + a.iam = manager } diskfs, err := fs.NewRootedDiskFilesystem(fs.RootedDiskConfig{ diff --git a/http/api/iam.go b/http/api/iam.go index a8e1f1fc..aea4f50b 100644 --- a/http/api/iam.go +++ b/http/api/iam.go @@ -14,28 +14,22 @@ func (u *IAMUser) Marshal(user iam.User, policies []iam.Policy) { u.Superuser = user.Superuser u.Auth = IAMUserAuth{ API: IAMUserAuthAPI{ - Userpass: IAMUserAuthPassword{ - Enable: user.Auth.API.Userpass.Enable, - Password: user.Auth.API.Userpass.Password, - }, + Password: user.Auth.API.Password, Auth0: IAMUserAuthAPIAuth0{ - Enable: false, - User: "", - Tenant: IAMAuth0Tenant{}, + User: user.Auth.API.Auth0.User, + Tenant: IAMAuth0Tenant{ + Domain: user.Auth.API.Auth0.Tenant.Domain, + Audience: user.Auth.API.Auth0.Tenant.Audience, + ClientID: user.Auth.API.Auth0.Tenant.ClientID, + }, }, }, Services: IAMUserAuthServices{ + Basic: user.Auth.Services.Basic, Token: user.Auth.Services.Token, }, } - for _, basic := range user.Auth.Services.Basic { - u.Auth.Services.Basic = append(u.Auth.Services.Basic, IAMUserAuthPassword{ - Enable: basic.Enable, - Password: basic.Password, - }) - } - for _, p := range policies { u.Policies = append(u.Policies, IAMPolicy{ Domain: p.Domain, @@ -51,13 +45,9 @@ func (u *IAMUser) Unmarshal() (iam.User, []iam.Policy) { Superuser: u.Superuser, Auth: iam.UserAuth{ API: iam.UserAuthAPI{ - Userpass: iam.UserAuthPassword{ - Enable: u.Auth.API.Userpass.Enable, - Password: u.Auth.API.Userpass.Password, - }, + Password: u.Auth.API.Password, Auth0: iam.UserAuthAPIAuth0{ - Enable: u.Auth.API.Auth0.Enable, - User: u.Auth.API.Auth0.User, + User: u.Auth.API.Auth0.User, Tenant: iam.Auth0Tenant{ Domain: u.Auth.API.Auth0.Tenant.Domain, Audience: u.Auth.API.Auth0.Tenant.Audience, @@ -66,18 +56,12 @@ func (u *IAMUser) Unmarshal() (iam.User, []iam.Policy) { }, }, Services: iam.UserAuthServices{ + Basic: u.Auth.Services.Basic, Token: u.Auth.Services.Token, }, }, } - for _, basic := range u.Auth.Services.Basic { - iamuser.Auth.Services.Basic = append(iamuser.Auth.Services.Basic, iam.UserAuthPassword{ - Enable: basic.Enable, - Password: basic.Password, - }) - } - iampolicies := []iam.Policy{} for _, p := range u.Policies { @@ -98,24 +82,18 @@ type IAMUserAuth struct { } type IAMUserAuthAPI struct { - Userpass IAMUserAuthPassword `json:"userpass"` + Password string `json:"userpass"` Auth0 IAMUserAuthAPIAuth0 `json:"auth0"` } type IAMUserAuthAPIAuth0 struct { - Enable bool `json:"enable"` User string `json:"user"` Tenant IAMAuth0Tenant `json:"tenant"` } type IAMUserAuthServices struct { - Basic []IAMUserAuthPassword `json:"basic"` - Token []string `json:"token"` -} - -type IAMUserAuthPassword struct { - Enable bool `json:"enable"` - Password string `json:"password"` + Basic []string `json:"basic"` + Token []string `json:"token"` } type IAMAuth0Tenant struct { diff --git a/http/middleware/iam/iam_test.go b/http/middleware/iam/iam_test.go index 116bced4..096c3803 100644 --- a/http/middleware/iam/iam_test.go +++ b/http/middleware/iam/iam_test.go @@ -45,18 +45,10 @@ func getIAM() (iam.IAM, error) { Name: "foobar", Auth: iam.UserAuth{ API: iam.UserAuthAPI{ - Userpass: iam.UserAuthPassword{ - Enable: true, - Password: "secret", - }, + Password: "secret", }, Services: iam.UserAuthServices{ - Basic: []iam.UserAuthPassword{ - { - Enable: true, - Password: "secret", - }, - }, + Basic: []string{"secret"}, }, }, }) diff --git a/iam/identity.go b/iam/identity.go index 4eaf66ae..c732517a 100644 --- a/iam/identity.go +++ b/iam/identity.go @@ -33,24 +33,18 @@ type UserAuth struct { } type UserAuthAPI struct { - Userpass UserAuthPassword `json:"userpass"` + Password string `json:"password"` Auth0 UserAuthAPIAuth0 `json:"auth0"` } type UserAuthAPIAuth0 struct { - Enable bool `json:"enable"` User string `json:"user"` Tenant Auth0Tenant `json:"tenant"` } type UserAuthServices struct { - Basic []UserAuthPassword `json:"basic"` - Token []string `json:"token"` -} - -type UserAuthPassword struct { - Enable bool `json:"enable"` - Password string `json:"password"` + Basic []string `json:"basic"` + Token []string `json:"token"` } func (u *User) validate() error { @@ -65,20 +59,6 @@ func (u *User) validate() error { return fmt.Errorf("the name can only contain [%s]", chars) } - if u.Auth.API.Userpass.Enable && len(u.Auth.API.Userpass.Password) == 0 { - return fmt.Errorf("a password for API login is required") - } - - if u.Auth.API.Auth0.Enable && len(u.Auth.API.Auth0.User) == 0 { - return fmt.Errorf("a user for Auth0 login is required") - } - - for i, basic := range u.Auth.Services.Basic { - if basic.Enable && len(basic.Password) == 0 { - return fmt.Errorf("a password for service basic auth nr. %d is required", i) - } - } - return nil } @@ -141,11 +121,11 @@ func (i *identity) VerifyAPIPassword(password string) (bool, error) { return false, fmt.Errorf("invalid identity") } - if !i.user.Auth.API.Userpass.Enable { + if len(i.user.Auth.API.Password) == 0 { return false, fmt.Errorf("authentication method disabled") } - return i.user.Auth.API.Userpass.Password == password, nil + return i.user.Auth.API.Password == password, nil } func (i *identity) VerifyAPIAuth0(jwt string) (bool, error) { @@ -156,7 +136,7 @@ func (i *identity) VerifyAPIAuth0(jwt string) (bool, error) { return false, fmt.Errorf("invalid identity") } - if !i.user.Auth.API.Auth0.Enable { + if len(i.user.Auth.API.Auth0.User) == 0 { return false, fmt.Errorf("authentication method disabled") } @@ -310,24 +290,17 @@ func (i *identity) VerifyServiceBasicAuth(password string) (bool, error) { return false, fmt.Errorf("invalid identity") } - valid := false - - for _, basic := range i.user.Auth.Services.Basic { - if !basic.Enable { + for _, pw := range i.user.Auth.Services.Basic { + if len(pw) == 0 { continue } - if basic.Password == password { - valid = true - break + if pw == password { + return true, nil } } - if !valid { - return false, nil - } - - return true, nil + return false, nil } func (i *identity) GetServiceBasicAuth() string { @@ -338,12 +311,12 @@ func (i *identity) GetServiceBasicAuth() string { return "" } - for _, basic := range i.user.Auth.Services.Basic { - if !basic.Enable { + for _, password := range i.user.Auth.Services.Basic { + if len(password) == 0 { continue } - return basic.Password + return password } return "" @@ -374,11 +347,15 @@ func (i *identity) GetServiceToken() string { return "" } - if len(i.user.Auth.Services.Token) == 0 { - return "" + for _, token := range i.user.Auth.Services.Token { + if len(token) == 0 { + continue + } + + return i.Name() + ":" + token } - return i.Name() + ":" + i.user.Auth.Services.Token[0] + return "" } func (i *identity) isValid() bool { @@ -469,6 +446,7 @@ func NewIdentityManager(config IdentityConfig) (IdentityManager, error) { } im.root = identity + im.autosave = true return im, nil } @@ -524,7 +502,7 @@ func (im *identityManager) create(u User) (*identity, error) { u = u.clone() identity := u.marshalIdentity() - if identity.user.Auth.API.Auth0.Enable { + if len(identity.user.Auth.API.Auth0.User) != 0 { if _, ok := im.auth0UserIdentityMap[identity.user.Auth.API.Auth0.User]; ok { return nil, fmt.Errorf("the Auth0 user has already an identity") } @@ -631,7 +609,7 @@ func (im *identityManager) delete(name string) error { identity.valid = false identity.lock.Unlock() - if !identity.user.Auth.API.Auth0.Enable { + if len(identity.user.Auth.API.Auth0.User) == 0 { if im.autosave { im.save(im.filePath) } @@ -664,7 +642,7 @@ func (im *identityManager) delete(name string) error { // find out if the tenant's clientid is still used somewhere else found = false for _, i := range im.identities { - if !i.user.Auth.API.Auth0.Enable { + if len(i.user.Auth.API.Auth0.User) == 0 { continue } diff --git a/iam/identity_test.go b/iam/identity_test.go index 9ea6c6a1..93c6d0cf 100644 --- a/iam/identity_test.go +++ b/iam/identity_test.go @@ -22,41 +22,6 @@ func TestUserName(t *testing.T) { require.Error(t, err) } -func TestUserAuth(t *testing.T) { - user := User{ - Name: "foobar", - } - - err := user.validate() - require.NoError(t, err) - - user.Auth.API.Userpass.Enable = true - err = user.validate() - require.Error(t, err) - - user.Auth.API.Userpass.Password = "secret" - err = user.validate() - require.NoError(t, err) - - user.Auth.API.Auth0.Enable = true - err = user.validate() - require.Error(t, err) - - user.Auth.API.Auth0.User = "auth0|123456" - err = user.validate() - require.NoError(t, err) - - user.Auth.Services.Basic = append(user.Auth.Services.Basic, UserAuthPassword{ - Enable: true, - }) - err = user.validate() - require.Error(t, err) - - user.Auth.Services.Basic[0].Password = "secret" - err = user.validate() - require.NoError(t, err) -} - func TestIdentity(t *testing.T) { user := User{ Name: "foobar", @@ -123,8 +88,7 @@ func TestIdentityAPIAuth(t *testing.T) { require.False(t, ok) require.Error(t, err) - identity.user.Auth.API.Userpass.Enable = true - identity.user.Auth.API.Userpass.Password = "secret" + identity.user.Auth.API.Password = "secret" ok, err = identity.VerifyAPIPassword("secret") require.False(t, ok) @@ -136,14 +100,13 @@ func TestIdentityAPIAuth(t *testing.T) { require.True(t, ok) require.NoError(t, err) - identity.user.Auth.API.Userpass.Enable = false + identity.user.Auth.API.Password = "" ok, err = identity.VerifyAPIPassword("secret") require.False(t, ok) require.Error(t, err) - identity.user.Auth.API.Userpass.Enable = true - identity.user.Auth.API.Userpass.Password = "terces" + identity.user.Auth.API.Password = "terces" ok, err = identity.VerifyAPIPassword("secret") require.False(t, ok) @@ -161,10 +124,7 @@ func TestIdentityServiceBasicAuth(t *testing.T) { require.False(t, ok) require.Error(t, err) - identity.user.Auth.Services.Basic = append(identity.user.Auth.Services.Basic, UserAuthPassword{ - Enable: true, - Password: "secret", - }) + identity.user.Auth.Services.Basic = append(identity.user.Auth.Services.Basic, "secret") ok, err = identity.VerifyServiceBasicAuth("secret") require.False(t, ok) @@ -176,14 +136,13 @@ func TestIdentityServiceBasicAuth(t *testing.T) { require.True(t, ok) require.NoError(t, err) - identity.user.Auth.Services.Basic[0].Enable = false + identity.user.Auth.Services.Basic[0] = "" ok, err = identity.VerifyServiceBasicAuth("secret") require.False(t, ok) require.NoError(t, err) - identity.user.Auth.Services.Basic[0].Enable = true - identity.user.Auth.Services.Basic[0].Password = "terces" + identity.user.Auth.Services.Basic[0] = "terces" ok, err = identity.VerifyServiceBasicAuth("secret") require.False(t, ok) @@ -325,8 +284,7 @@ func TestCreateUserAuth0(t *testing.T) { Auth: UserAuth{ API: UserAuthAPI{ Auth0: UserAuthAPIAuth0{ - Enable: true, - User: "auth0|123456", + User: "auth0|123456", Tenant: Auth0Tenant{ Domain: "example.com", Audience: "https://api.example.com/", @@ -344,8 +302,7 @@ func TestCreateUserAuth0(t *testing.T) { Auth: UserAuth{ API: UserAuthAPI{ Auth0: UserAuthAPIAuth0{ - Enable: true, - User: "auth0|123456", + User: "auth0|123456", Tenant: Auth0Tenant{ Domain: "datarhei-demo.eu.auth0.com", Audience: "https://datarhei-demo.eu.auth0.com/api/v2/", @@ -383,8 +340,7 @@ func TestCreateUserAuth0(t *testing.T) { Auth: UserAuth{ API: UserAuthAPI{ Auth0: UserAuthAPIAuth0{ - Enable: true, - User: "auth0|123456", + User: "auth0|123456", Tenant: Auth0Tenant{ Domain: "datarhei-demo.eu.auth0.com", Audience: "https://datarhei-demo.eu.auth0.com/api/v2/", @@ -402,8 +358,7 @@ func TestCreateUserAuth0(t *testing.T) { Auth: UserAuth{ API: UserAuthAPI{ Auth0: UserAuthAPIAuth0{ - Enable: true, - User: "auth0|987654", + User: "auth0|987654", Tenant: Auth0Tenant{ Domain: "datarhei-demo.eu.auth0.com", Audience: "https://datarhei-demo.eu.auth0.com/api/v2/", @@ -544,8 +499,7 @@ func TestUpdateUserAuth0(t *testing.T) { Auth: UserAuth{ API: UserAuthAPI{ Auth0: UserAuthAPIAuth0{ - Enable: true, - User: "auth0|123456", + User: "auth0|123456", Tenant: Auth0Tenant{ Domain: "datarhei-demo.eu.auth0.com", Audience: "https://datarhei-demo.eu.auth0.com/api/v2/", @@ -607,19 +561,11 @@ func TestRemoveUser(t *testing.T) { Superuser: false, Auth: UserAuth{ API: UserAuthAPI{ - Userpass: UserAuthPassword{ - Enable: true, - Password: "apisecret", - }, - Auth0: UserAuthAPIAuth0{}, + Password: "apisecret", + Auth0: UserAuthAPIAuth0{}, }, Services: UserAuthServices{ - Basic: []UserAuthPassword{ - { - Enable: true, - Password: "secret", - }, - }, + Basic: []string{"secret"}, Token: []string{"tokensecret"}, }, }, @@ -706,8 +652,7 @@ func TestRemoveUserAuth0(t *testing.T) { Auth: UserAuth{ API: UserAuthAPI{ Auth0: UserAuthAPIAuth0{ - Enable: true, - User: "auth0|123456", + User: "auth0|123456", Tenant: Auth0Tenant{ Domain: "datarhei-demo.eu.auth0.com", Audience: "https://datarhei-demo.eu.auth0.com/api/v2/", @@ -725,8 +670,7 @@ func TestRemoveUserAuth0(t *testing.T) { Auth: UserAuth{ API: UserAuthAPI{ Auth0: UserAuthAPIAuth0{ - Enable: true, - User: "auth0|987654", + User: "auth0|987654", Tenant: Auth0Tenant{ Domain: "datarhei-demo.eu.auth0.com", Audience: "https://datarhei-demo.eu.auth0.com/api/v2/", diff --git a/restream/rewrite/rewrite_test.go b/restream/rewrite/rewrite_test.go index 63c74082..f1a1ae1b 100644 --- a/restream/rewrite/rewrite_test.go +++ b/restream/rewrite/rewrite_test.go @@ -13,24 +13,24 @@ import ( func getIdentityManager(enableBasic bool) iam.IdentityManager { dummyfs, _ := fs.NewMemFilesystem(fs.MemConfig{}) - im, _ := iam.NewIdentityManager(iam.IdentityConfig{ - FS: dummyfs, - Superuser: iam.User{ - Name: "foobar", - Superuser: false, - Auth: iam.UserAuth{ - API: iam.UserAuthAPI{}, - Services: iam.UserAuthServices{ - Basic: []iam.UserAuthPassword{ - { - Enable: enableBasic, - Password: "basicauthpassword", - }, - }, - Token: []string{"servicetoken"}, - }, + superuser := iam.User{ + Name: "foobar", + Superuser: false, + Auth: iam.UserAuth{ + API: iam.UserAuthAPI{}, + Services: iam.UserAuthServices{ + Token: []string{"servicetoken"}, }, }, + } + + if enableBasic { + superuser.Auth.Services.Basic = []string{"basicauthpassword"} + } + + im, _ := iam.NewIdentityManager(iam.IdentityConfig{ + FS: dummyfs, + Superuser: superuser, JWTRealm: "", JWTSecret: "", Logger: nil,