Add option to disable default all-to-all policy

[aliamerj]

Describe your changes

This PR introduces a new configuration option DisableDefaultPolicy that prevents the creation of the default all-to-all policy when new accounts are created. This is useful for automation scenarios where explicit policies are preferred.

Key Changes:

• Added DisableDefaultPolicy flag to the management server config
• Modified account creation logic to respect this flag
• Updated all test cases to explicitly pass the flag (defaulting to false to maintain backward compatibility)
• Propagated the flag through the account manager initialization chain

Testing:

• Verified default behavior remains unchanged when flag is false
• Confirmed no default policy is created when flag is true
• All existing tests pass with the new parameter

Issue ticket number and link

Closes #3932

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)
• Extended the README / documentation, if necessary

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

[CLAassistant]

All committers have signed the CLA.

[bcmmbaga]

@aliamerj Thanks for your contribution! Could you please take a look at the failing tests?

[aliamerj]

@bcmmbaga
my bad forgot to refactor one of the tests,
Now i think all good

[aliamerj]

I don't know why i am getting the Linux / Management / Benchmark (API) Failing

[bcmmbaga]

Looks good overall but there are a couple of missing pieces needed to make this work as expected

1. We should only add the peer to the All group when DisableDefaultPolicy is set to false , since the group won't be created when it's enabled.
   

   netbird/management/server/peer.go

   Lines 610 to 613 in 684501f

   	err = transaction.AddPeerToAllGroup(ctx, store.LockingStrengthUpdate, accountID, newPeer.ID)
   	if err != nil {
   	return fmt.Errorf("failed adding peer to All group: %w", err)
   	}

2. We should make DisableDefaultPolicy configurable via setup.env and include appropriate tests. By default it should remain false unless explicitly configured by the user. For reference check how it's handled in this PR

[aliamerj]

i will work on the setup.env and tests next ,
Thank you for feedback

[aliamerj]

@bcmmbaga
I think I set up the setup.env correctly , did i miss anything ?

[Copilot]

Pull Request Overview

This PR introduces a new configuration option DisableDefaultPolicy that stops automatically creating the all-to-all policy/group during account and peer setup when enabled.

• Added disableDefaultPolicy flag to DefaultAccountManager and propagated it through BuildManager.
• Wrapped default policy creation calls in account and peer logic behind this flag.
• Updated all existing tests and infrastructure files to pass or expose the new flag (default false).

Reviewed Changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
management/server/account.go	Added disableDefaultPolicy field, BuildManager parameter, and gated default-group creation in account logic
management/server/peer.go	Wrapped AddPeerToAllGroup behind disableDefaultPolicy check
management/server/nameserver_test.go	Updated BuildManager call to include the new flag
management/server/management_test.go	Updated BuildManager invocation with the new parameter
management/server/management_proto_test.go	Propagated new flag to BuildManager in tests
management/server/http/testing/testing_tools/tools.go	Passed false for the new flag in black-box API builder
management/server/group_test.go	Added the false argument to newAccountWithId calls
management/server/ephemeral_test.go	Updated newAccountWithId invocation with the flag
management/server/dns_test.go	Included the new false parameter in account initialization
management/server/account_test.go	Adjusted newAccountWithId and BuildManager usages
management/cmd/management.go	Propagated config.DisableDefaultPolicy to BuildManager
management/client/client_test.go	Updated test setup to pass the new flag
client/server/server_test.go	Added false for disableDefaultPolicy in BuildManager calls
client/internal/engine_test.go	Included the new flag parameter in manager startup
client/cmd/testutil_test.go	Passed false for the new parameter in test helper
.github/workflows/test-infrastructure-files.yml	Set CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY and validated it
infrastructure_files/{base.setup.env,setup.env.example,...}	Exposed NETBIRD_MGMT_DISABLE_DEFAULT_POLICY in env and templates

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[aliamerj]

@bcmmbaga,
Do we need to have a third commit to add some tests ?

[mlsmaycon]

@aliamerj this change should only affect adding the default policy. Nothing else. The add all group should stay as is because the ALL group is used everywhere, and its existence is independent from the default policy. It basically should contain all peers.

[mlsmaycon]

can you please check my comment about the all group?

[aliamerj]

@mlsmaycon

Thanks for the review! I want to clarify how the implementation handles the "All" group and default policy:

In the AddAllGroup function:

func (a *Account) AddAllGroup(disableDefaultPolicy bool) error {
    if len(a.Groups) == 0 {
        // 1. ALWAYS create the "All" group
        allGroup := &Group{...}
        a.Groups = map[string]*Group{allGroup.ID: allGroup}

        // 2. Only conditionally create the policy
        if disableDefaultPolicy {
            return nil // Skip policy creation
        }

        // 3. Create default policy (only when not disabled)
        defaultPolicy := &Policy{...}
        a.Policies = []*Policy{defaultPolicy}
    }
    return nil
}

The "All" group is always created regardless of the disableDefaultPolicy flag

Only the policy creation is conditional

In account creation paths:

// newAccountWithId ALWAYS calls AddAllGroup
func newAccountWithId(..., disableDefaultPolicy bool) *Account {
    acc := &Account{...}
    acc.AddAllGroup(disableDefaultPolicy) // Always called
    return acc
}

// GetOrCreateAccountByPrivateDomain ALWAYS calls AddAllGroup
newAccount.AddAllGroup(am.DisableDefaultPolicy)

This ensures:

• The "All" group is always present (required for system functionality)
• The default policy is only created when not disabled
• Complete separation between group and policy creation

So I didn't get it , what should i change ?