[management] Handle missing NetworkAddresses in peer network range posture check

[MichaelUray]

Summary

Peers with empty NetworkAddresses (e.g., older mobile clients that don't report network interfaces) were incorrectly handled by the peer_network_range_check posture check. The check returned an error, which blocked the peer entirely.

Fix: For deny action, allow the peer through (can't confirm it IS in the denied range). For allow action, deny the peer (can't confirm it IS in the allowed range).

Includes updated unit tests.

Checklist

• Bug fix
• Create tests that fail without the change: updated existing tests to match new behavior
• Documentation is not needed — behavioral fix for edge case

By submitting this pull request, I confirm that I have read and agree to the terms of the Contributor License Agreement.

Summary by CodeRabbit

• Bug Fixes
  • Network posture checks no longer error for peers without configured network addresses; policy action is deterministically applied (allow or deny) improving reliability of access decisions.
• Tests
  • Updated tests to reflect new behavior for peers with no network addresses (expect no error and adjusted validity outcomes).

Related Issues

Fixes #3968 — Posture checks peer network range failed on iPhone
Fixes #4657 — iOS Client loses all routes when Posture Checks are enabled
Related #5437 — Netbird not honoring large peer network ranges

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 63320bf2-684d-461c-9be2-fff38dbb6bf3

📥 Commits

Reviewing files that changed from the base of the PR and between 42f255a and b74c336.

📒 Files selected for processing (2)

• management/server/posture/network.go
• management/server/posture/network_test.go

---

📝 Walkthrough

Walkthrough

PeerNetworkRangeCheck.Check no longer treats missing peer.Meta.NetworkAddresses as an error; when addresses are absent it deterministically returns allow/deny based on p.Action (CheckActionDeny => allow(true), CheckActionAllow => deny(false)). Tests were updated to match this behavior.

Changes

Cohort / File(s)	Summary
Network Range Check Logic management/server/posture/network.go	Changed handling of peers with empty NetworkAddresses: return action-based boolean (allow/deny) instead of an error when no addresses present; preserved existing error path for invalid actions when addresses exist.
Test Expectations management/server/posture/network_test.go	Adjusted test cases for peers without network addresses: updated expectations for allow/deny scenarios to assert no error and the new validity results.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• [client] Populate NetworkAddresses on iOS for posture checks #5900 — Addresses the client-side population of NetworkAddresses (iOS), closely related to server-side handling of missing NetworkAddresses in posture checks.

Suggested reviewers

• pascal-fischer
• pappz
• crn4

Poem

🐰 I sniffed the nets and found them bare,

No addresses hiding anywhere.
Deny says leap, Allow says stay—
I hopped the logic clear as day.
Tiny change, a bouncy fix, hooray! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: handling missing NetworkAddresses in peer network range posture check logic.
Description check	✅ Passed	The description covers all required sections including a clear summary, checklist items completed, CLA confirmation, and related issues. All key information is present.
Linked Issues check	✅ Passed	The code changes directly address the root cause described in linked issues #3968 and #4657: peers with missing NetworkAddresses are now deterministically handled instead of causing errors, allowing iPhone and other mobile clients without reported network interfaces to function properly with posture checks.
Out of Scope Changes check	✅ Passed	All changes are narrowly scoped to the peer network range posture check logic. The modifications to network.go and network_test.go directly address the missing NetworkAddresses handling as defined in the linked issues, with no extraneous changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud