[management] Handle missing NetworkAddresses in peer network range posture check

[MichaelUray]

Summary

Peers with empty NetworkAddresses (e.g., older mobile clients that don't report network interfaces) were incorrectly handled by the peer_network_range_check posture check. The check returned an error, which blocked the peer entirely.

Fix: For deny action, allow the peer through (can't confirm it IS in the denied range). For allow action, deny the peer (can't confirm it IS in the allowed range).

Includes updated unit tests.

Checklist

• Bug fix
• Create tests that fail without the change: updated existing tests to match new behavior
• Documentation not needed — behavioral fix for edge case

By submitting this pull request, I confirm that I have read and agree to the terms of the Contributor License Agreement.

Summary by CodeRabbit

• Bug Fixes
  • Fixed network posture validation to properly handle peers without configured network addresses. The system now applies the configured policy rules correctly instead of returning errors, improving the reliability of network access checks.

Related Issues

Fixes #3968 — Posture checks peer network range failed on iPhone
Fixes #4657 — iOS Client loses all routes when Posture Checks are enabled
Related #5437 — Netbird not honoring large peer network ranges

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PeerNetworkRangeCheck.Check method now handles empty network addresses differently. Instead of returning an error, it returns a boolean outcome based on the action type: CheckActionDeny returns true (allow), while CheckActionAllow returns false (deny). Test cases were updated accordingly.

Changes

Cohort / File(s)	Summary
Network Range Check Logic management/server/posture/network.go	Modified empty network address handling to return action-based outcomes instead of errors: returns true for CheckActionDeny and false for CheckActionAllow.
Test Expectations management/server/posture/network_test.go	Updated test assertions for empty peer scenarios: allow case expects invalid but no error; deny case expects valid and no error.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• crn4

Poem

🐰 Hops through networks empty and bare,
No addresses found, but we don't despair!
Allow says no, Deny says yes—
Logic flipped with such finesse!
Empty checks now find their way. 🌐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: handling missing NetworkAddresses in the peer network range posture check.
Description check	✅ Passed	The PR description follows the required template with all essential sections completed: summary of changes, issue references, checklist items marked appropriately, CLA confirmation, and documentation justification provided.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud