netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

Add option to disable default all-to-all policy

Open aliamerj opened this issue 5 months ago • 9 comments

Describe your changes

This PR introduces a new configuration option DisableDefaultPolicy that prevents the creation of the default all-to-all policy when new accounts are created. This is useful for automation scenarios where explicit policies are preferred.

Key Changes:

  • Added DisableDefaultPolicy flag to the management server config
  • Modified account creation logic to respect this flag
  • Updated all test cases to explicitly pass the flag (defaulting to false to maintain backward compatibility)
  • Propagated the flag through the account manager initialization chain

Testing:

  • Verified default behavior remains unchanged when flag is false
  • Confirmed no default policy is created when flag is true
  • All existing tests pass with the new parameter

Issue ticket number and link

Closes #3932

Stack

Checklist

  • [ ] Is it a bug fix
  • [ ] Is a typo/documentation fix
  • [x] Is a feature enhancement
  • [x] It is a refactor
  • [ ] Created tests that fail without the change (if possible)
  • [ ] Extended the README / documentation, if necessary

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

aliamerj avatar Jun 12 '25 21:06 aliamerj

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jun 12 '25 21:06 CLAassistant

@aliamerj Thanks for your contribution! Could you please take a look at the failing tests?

bcmmbaga avatar Jun 13 '25 16:06 bcmmbaga

@bcmmbaga my bad forgot to refactor one of the tests, Now i think all good

aliamerj avatar Jun 13 '25 16:06 aliamerj

I don't know why i am getting the Linux / Management / Benchmark (API) Failing

aliamerj avatar Jun 13 '25 19:06 aliamerj

i will work on the setup.env and tests next , Thank you for feedback

aliamerj avatar Jun 14 '25 16:06 aliamerj

@bcmmbaga I think I set up the setup.env correctly , did i miss anything ?

aliamerj avatar Jun 14 '25 17:06 aliamerj

Quality Gate Passed Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Jun 16 '25 17:06 sonarqubecloud[bot]

@bcmmbaga, Do we need to have a third commit to add some tests ?

aliamerj avatar Jun 16 '25 18:06 aliamerj

@mlsmaycon

Thanks for the review! I want to clarify how the implementation handles the "All" group and default policy:

In the AddAllGroup function:

func (a *Account) AddAllGroup(disableDefaultPolicy bool) error {
    if len(a.Groups) == 0 {
        // 1. ALWAYS create the "All" group
        allGroup := &Group{...}
        a.Groups = map[string]*Group{allGroup.ID: allGroup}

        // 2. Only conditionally create the policy
        if disableDefaultPolicy {
            return nil // Skip policy creation
        }

        // 3. Create default policy (only when not disabled)
        defaultPolicy := &Policy{...}
        a.Policies = []*Policy{defaultPolicy}
    }
    return nil
}

The "All" group is always created regardless of the disableDefaultPolicy flag

Only the policy creation is conditional

In account creation paths:

// newAccountWithId ALWAYS calls AddAllGroup
func newAccountWithId(..., disableDefaultPolicy bool) *Account {
    acc := &Account{...}
    acc.AddAllGroup(disableDefaultPolicy) // Always called
    return acc
}

// GetOrCreateAccountByPrivateDomain ALWAYS calls AddAllGroup
newAccount.AddAllGroup(am.DisableDefaultPolicy)

This ensures:

  • The "All" group is always present (required for system functionality)
  • The default policy is only created when not disabled
  • Complete separation between group and policy creation

So I didn't get it , what should i change ?

aliamerj avatar Jun 25 '25 18:06 aliamerj