From 91d51c2b8810f277a1a65805a799b6ae592129df Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Fri, 14 Jan 2022 13:06:32 +0100
Subject: [PATCH] Add allow/deny to Nebula provisioner

---
 authority/provisioner/nebula.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go
index a77f4281..dfff8617 100644
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@@ -34,6 +34,7 @@ const (
 // https://signal.org/docs/specifications/xeddsa/#xeddsa and implemented by
 // go.step.sm/crypto/x25519.
 type Nebula struct {
+	*base
 	ID        string   `json:"-"`
 	Type      string   `json:"type"`
 	Name      string   `json:"name"`
@@ -47,6 +48,7 @@ type Nebula struct {
 
 // Init verifies and initializes the Nebula provisioner.
 func (p *Nebula) Init(config Config) error {
+	p.base = &base{} // prevent nil pointers
 	switch {
 	case p.Type == "":
 		return errors.New("provisioner type cannot be empty")
@@ -68,6 +70,16 @@ func (p *Nebula) Init(config Config) error {
 
 	p.audiences = config.Audiences.WithFragment(p.GetIDForToken())
 
+	// Initialize the x509 allow/deny policy engine
+	if p.x509PolicyEngine, err = newX509PolicyEngine(p.Options.GetX509Options()); err != nil {
+		return err
+	}
+
+	// Initialize the SSH allow/deny policy engine
+	if p.sshPolicyEngine, err = newSSHPolicyEngine(p.Options.GetSSHOptions()); err != nil {
+		return err
+	}
+
 	return nil
 }