From b74c336ebc856270a0f2fedadf092c4172939e35 Mon Sep 17 00:00:00 2001
From: Michael Uray <25169478+MichaelUray@users.noreply.github.com>
Date: Mon, 6 Apr 2026 15:15:25 +0000
Subject: [PATCH] fix(management): handle missing NetworkAddresses in peer
 network range posture check

Peers with empty NetworkAddresses (e.g., older mobile clients) were
blocked by deny-action posture checks. Allow them through since we
cannot confirm they ARE in the denied range.

Update tests to match new behavior.
---
 management/server/posture/network.go      | 8 +++++++-
 management/server/posture/network_test.go | 8 ++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/management/server/posture/network.go b/management/server/posture/network.go
index f7874414396..deba261c80e 100644
--- a/management/server/posture/network.go
+++ b/management/server/posture/network.go
@@ -19,7 +19,13 @@ var _ Check = (*PeerNetworkRangeCheck)(nil)
 
 func (p *PeerNetworkRangeCheck) Check(ctx context.Context, peer nbpeer.Peer) (bool, error) {
 	if len(peer.Meta.NetworkAddresses) == 0 {
-		return false, fmt.Errorf("peer's does not contain peer network range addresses")
+		// No network address info available from the peer (e.g. older mobile clients).
+		// For "deny" action: allow the peer since we cannot confirm it IS in the denied range.
+		// For "allow" action: deny the peer since we cannot confirm it IS in the allowed range.
+		if p.Action == CheckActionDeny {
+			return true, nil
+		}
+		return false, nil
 	}
 
 	maskedPrefixes := make([]netip.Prefix, 0, len(p.Ranges))
diff --git a/management/server/posture/network_test.go b/management/server/posture/network_test.go
index a841bbe08e3..dbb1443038b 100644
--- a/management/server/posture/network_test.go
+++ b/management/server/posture/network_test.go
@@ -73,7 +73,7 @@ func TestPeerNetworkRangeCheck_Check(t *testing.T) {
 				},
 			},
 			peer:    nbpeer.Peer{},
-			wantErr: true,
+			wantErr: false,
 			isValid: false,
 		},
 		{
@@ -122,7 +122,7 @@ func TestPeerNetworkRangeCheck_Check(t *testing.T) {
 			isValid: true,
 		},
 		{
-			name: "Peer with no networks range in the denied range",
+			name: "Peer with no networks range in the denied range is allowed through",
 			check: PeerNetworkRangeCheck{
 				Action: CheckActionDeny,
 				Ranges: []netip.Prefix{
@@ -131,8 +131,8 @@ func TestPeerNetworkRangeCheck_Check(t *testing.T) {
 				},
 			},
 			peer:    nbpeer.Peer{},
-			wantErr: true,
-			isValid: false,
+			wantErr: false,
+			isValid: true,
 		},
 	}