Implement posture check execution in policy

# Conflicts:
#	go.sum

go.mod

@@ -23,7 +23,7 @@ require (
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	google.golang.org/grpc v1.56.3
-	google.golang.org/protobuf v1.30.0
+	google.golang.org/protobuf v1.31.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
 
@@ -73,7 +73,7 @@ require (
 	golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028
 	golang.org/x/net v0.17.0
 	golang.org/x/oauth2 v0.8.0
-	golang.org/x/sync v0.2.0
+	golang.org/x/sync v0.3.0
 	golang.org/x/term v0.13.0
 	google.golang.org/api v0.126.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -84,7 +84,7 @@ require (
 require (
 	cloud.google.com/go/compute v1.19.3 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/XiaoMi/pegasus-go-client v0.0.0-20210427083443-f3b6b08bc4c2 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -93,6 +93,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fredbi/uri v0.0.0-20181227131451-3dcfdacbaaf3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/getlantern/context v0.0.0-20190109183933-c447772a6520 // indirect
@@ -142,10 +143,10 @@ require (
 	go.opentelemetry.io/otel/sdk v1.11.1 // indirect
 	go.opentelemetry.io/otel/trace v1.11.1 // indirect
 	golang.org/x/image v0.10.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.12.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect

go.sum

@@ -48,8 +48,9 @@ github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6L
 github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Kodeworks/golang-image-ico v0.0.0-20141118225523-73f0f4cfade9/go.mod h1:7uhhqiBaR4CpN0k9rMjOtjpcfGd6DG2m04zQxKnWQ0I=
 github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
@@ -161,8 +162,9 @@ github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/eko/gocache/v3 v3.1.1 h1:r3CBwLnqPkcK56h9Do2CWw1kZ4TeKK0wDE1Oo/YZnhs=
 github.com/eko/gocache/v3 v3.1.1/go.mod h1:UpP/LyHAioP/a/dizgl0MpgZ3A3CkS4NbG/mWkGTQ9M=
 github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
@@ -778,8 +780,9 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -870,8 +873,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1002,8 +1005,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
-golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1058,8 +1061,9 @@ golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss=
+golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1169,8 +1173,9 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

management/server/checks/posture_checks.go

@@ -0,0 +1,68 @@
+package checks
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/go-version"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+)
+
+type PostureCheck struct {
+	// ID of the policy rule
+	ID string `gorm:"primaryKey"`
+
+	// PolicyID is a reference to Policy that this object belongs
+	PolicyID string `json:"-" gorm:"index"`
+
+	NBVersionCheck NBVersionPostureCheck `gorm:"embedded;embeddedPrefix:nb_version_check_"`
+	OSVersionCheck OSVersionPostureCheck `gorm:"embedded;embeddedPrefix:os_version_check_"`
+}
+
+type NBVersionPostureCheck struct {
+	Enabled               bool
+	MinimumVersionAllowed string
+}
+
+func (n *NBVersionPostureCheck) Check(peer nbpeer.Peer) error {
+	peerNBVersion, err := version.NewVersion(peer.Meta.UIVersion)
+	if err != nil {
+		return err
+	}
+
+	constraints, err := version.NewConstraint(">= " + n.MinimumVersionAllowed)
+	if err != nil {
+		return err
+	}
+
+	if constraints.Check(peerNBVersion) {
+		return nil
+	}
+
+	return fmt.Errorf("peer nb version is older than minimum allowed version %s", n.MinimumVersionAllowed)
+}
+
+type OSVersionPostureCheck struct {
+	Enabled               bool
+	MinimumVersionAllowed string
+
+	// TODO: add OS context to prevent using the same version on different OS types
+}
+
+func (o *OSVersionPostureCheck) Check(peer nbpeer.Peer) error {
+	peerNBVersion, err := version.NewVersion(peer.Meta.UIVersion)
+	if err != nil {
+		return err
+	}
+
+	constraints, err := version.NewConstraint(">= " + o.MinimumVersionAllowed)
+	if err != nil {
+		return err
+	}
+
+	if constraints.Check(peerNBVersion) {
+		return nil
+	}
+
+	return fmt.Errorf("peer OS version is not supported")
+}

management/server/http/api/openapi.yml

@@ -784,8 +784,11 @@ components:
               type: array
               items:
                 $ref: '#/components/schemas/PolicyRuleUpdate'
+            postureCheck:
+              $ref: '#/components/schemas/PostureCheck'
           required:
             - rules
+            - PostureCheck
     Policy:
       allOf:
         - $ref: '#/components/schemas/PolicyMinimum'
@@ -796,8 +799,11 @@ components:
               type: array
               items:
                 $ref: '#/components/schemas/PolicyRule'
+            postureCheck:
+              $ref: '#/components/schemas/PostureCheck'
           required:
             - rules
+            - postureCheck
     RouteRequest:
       type: object
       properties:
@@ -1034,6 +1040,35 @@ components:
         - initiator_email
         - target_id
         - meta
+    PostureCheck:
+      description: Policy poster check
+      type: object
+      properties:
+        osVersionPostureCheck:
+          $ref: '#/components/schemas/OSVersionPostureCheck'
+        nbVersionPostureCheck:
+          $ref: '#/components/schemas/NBVersionPostureCheck'
+      required:
+        - osVersionPostureCheck
+        - nbVersionPostureCheck
+    NBVersionPostureCheck:
+      type: object
+      properties:
+        enabled:
+          type: boolean
+          example: false
+        minimumVersionAllowed:
+          type: string
+          example: "1.2.3"
+    OSVersionPostureCheck:
+      type: object
+      properties:
+        enabled:
+          type: boolean
+          example: false
+        minimumVersionAllowed:
+          type: string
+          example: "1.2.3"
   responses:
     not_found:
       description: Resource not found

management/server/http/api/types.gen.go

@@ -257,6 +257,12 @@ type GroupRequest struct {
 	Peers *[]string `json:"peers,omitempty"`
 }
 
+// NBVersionPostureCheck defines model for NBVersionPostureCheck.
+type NBVersionPostureCheck struct {
+	Enabled               *bool   `json:"enabled,omitempty"`
+	MinimumVersionAllowed *string `json:"minimumVersionAllowed,omitempty"`
+}
+
 // Nameserver defines model for Nameserver.
 type Nameserver struct {
 	// Ip Nameserver IP
@@ -329,6 +335,12 @@ type NameserverGroupRequest struct {
 	SearchDomainsEnabled bool `json:"search_domains_enabled"`
 }
 
+// OSVersionPostureCheck defines model for OSVersionPostureCheck.
+type OSVersionPostureCheck struct {
+	Enabled               *bool   `json:"enabled,omitempty"`
+	MinimumVersionAllowed *string `json:"minimumVersionAllowed,omitempty"`
+}
+
 // Peer defines model for Peer.
 type Peer struct {
 	// AccessiblePeers List of accessible peers
@@ -567,6 +579,9 @@ type Policy struct {
 	// Name Policy name identifier
 	Name string `json:"name"`
 
+	// PostureCheck Policy poster check
+	PostureCheck PostureCheck `json:"postureCheck"`
+
 	// Query Policy Rego query
 	Query string `json:"query"`
 
@@ -717,6 +732,9 @@ type PolicyUpdate struct {
 	// Name Policy name identifier
 	Name string `json:"name"`
 
+	// PostureCheck Policy poster check
+	PostureCheck *PostureCheck `json:"postureCheck,omitempty"`
+
 	// Query Policy Rego query
 	Query string `json:"query"`
 
@@ -724,6 +742,12 @@ type PolicyUpdate struct {
 	Rules []PolicyRuleUpdate `json:"rules"`
 }
 
+// PostureCheck Policy poster check
+type PostureCheck struct {
+	NbVersionPostureCheck NBVersionPostureCheck `json:"nbVersionPostureCheck"`
+	OsVersionPostureCheck OSVersionPostureCheck `json:"osVersionPostureCheck"`
+}
+
 // Route defines model for Route.
 type Route struct {
 	// Description Route description

management/server/http/policies_handler.go

@@ -9,6 +9,7 @@ import (
 	"github.com/rs/xid"
 
 	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/checks"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
@@ -117,13 +118,8 @@ func (h *Policies) savePolicy(
 		return
 	}
 
-	if req.Name == "" {
-		util.WriteError(status.Errorf(status.InvalidArgument, "policy name shouldn't be empty"), w)
-		return
-	}
-
-	if len(req.Rules) == 0 {
-		util.WriteError(status.Errorf(status.InvalidArgument, "policy rules shouldn't be empty"), w)
+	if err := validatePolicyUpdateReq(req); err != nil {
+		util.WriteError(err, w)
 		return
 	}
 
@@ -206,6 +202,35 @@ func (h *Policies) savePolicy(
 		policy.Rules = append(policy.Rules, &pr)
 	}
 
+	if req.PostureCheck != nil {
+		var (
+			osVersionPostureCheck checks.OSVersionPostureCheck
+			nbVersionPostureCheck checks.NBVersionPostureCheck
+		)
+
+		osVersionPostureCheckReq := req.PostureCheck.OsVersionPostureCheck
+		if enabled := osVersionPostureCheckReq.Enabled; enabled != nil {
+			osVersionPostureCheck.Enabled = *enabled
+		}
+		if minAllowedVersionReq := osVersionPostureCheckReq.MinimumVersionAllowed; minAllowedVersionReq != nil {
+			osVersionPostureCheck.MinimumVersionAllowed = *minAllowedVersionReq
+		}
+
+		nbVersionPostureCheckReq := req.PostureCheck.NbVersionPostureCheck
+		if enabled := nbVersionPostureCheckReq.Enabled; enabled != nil {
+			nbVersionPostureCheck.Enabled = *enabled
+		}
+		if minAllowedVersionReq := nbVersionPostureCheckReq.MinimumVersionAllowed; minAllowedVersionReq != nil {
+			nbVersionPostureCheck.MinimumVersionAllowed = *minAllowedVersionReq
+		}
+
+		policy.PostureCheck = checks.PostureCheck{
+			ID:             policyID,
+			NBVersionCheck: nbVersionPostureCheck,
+			OSVersionCheck: osVersionPostureCheck,
+		}
+	}
+
 	if err := h.accountManager.SavePolicy(account.Id, user.Id, &policy); err != nil {
 		util.WriteError(err, w)
 		return
@@ -338,6 +363,20 @@ func toPolicyResponse(account *server.Account, policy *server.Policy) *api.Polic
 		}
 		ap.Rules = append(ap.Rules, rule)
 	}
+
+	nbVersionCheck := policy.PostureCheck.NBVersionCheck
+	osVersionCheck := policy.PostureCheck.OSVersionCheck
+	ap.PostureCheck = api.PostureCheck{
+		NbVersionPostureCheck: api.NBVersionPostureCheck{
+			Enabled:               &nbVersionCheck.Enabled,
+			MinimumVersionAllowed: &nbVersionCheck.MinimumVersionAllowed,
+		},
+		OsVersionPostureCheck: api.OSVersionPostureCheck{
+			Enabled:               &osVersionCheck.Enabled,
+			MinimumVersionAllowed: &osVersionCheck.MinimumVersionAllowed,
+		},
+	}
+
 	return ap
 }
 
@@ -351,3 +390,31 @@ func groupMinimumsToStrings(account *server.Account, gm []string) []string {
 	}
 	return result
 }
+
+func validatePolicyUpdateReq(req api.PutApiPoliciesPolicyIdJSONRequestBody) error {
+	if req.Name == "" {
+		return status.Errorf(status.InvalidArgument, "policy name shouldn't be empty")
+	}
+
+	if len(req.Rules) == 0 {
+		return status.Errorf(status.InvalidArgument, "policy rules shouldn't be empty")
+	}
+
+	if req.PostureCheck == nil {
+		return status.Errorf(status.InvalidArgument, "policy posture checks shouldn't be empty")
+	}
+
+	if enabled := req.PostureCheck.NbVersionPostureCheck.Enabled; enabled != nil && *enabled {
+		if minVersion := req.PostureCheck.NbVersionPostureCheck.MinimumVersionAllowed; minVersion == nil || *minVersion == "" {
+			return status.Errorf(status.InvalidArgument, "netbird version posture check is enabled, minimum version allowed shouldn't be empty")
+		}
+	}
+
+	if enabled := req.PostureCheck.OsVersionPostureCheck.Enabled; enabled != nil && *enabled {
+		if minVersion := req.PostureCheck.OsVersionPostureCheck.MinimumVersionAllowed; minVersion == nil || *minVersion == "" {
+			return status.Errorf(status.InvalidArgument, "os version posture check is enabled, minimum version allowed shouldn't be empty")
+		}
+	}
+
+	return nil
+}

management/server/policy.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/checks"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 )
@@ -150,16 +151,20 @@ type Policy struct {
 
 	// Rules of the policy
 	Rules []*PolicyRule `gorm:"foreignKey:PolicyID;references:id"`
+
+	// PostureCheck of the policy
+	PostureCheck checks.PostureCheck `gorm:"foreignKey:PolicyID;references:id"`
 }
 
 // Copy returns a copy of the policy.
 func (p *Policy) Copy() *Policy {
 	c := &Policy{
-		ID:          p.ID,
-		Name:        p.Name,
-		Description: p.Description,
-		Enabled:     p.Enabled,
-		Rules:       make([]*PolicyRule, len(p.Rules)),
+		ID:           p.ID,
+		Name:         p.Name,
+		Description:  p.Description,
+		Enabled:      p.Enabled,
+		Rules:        make([]*PolicyRule, len(p.Rules)),
+		PostureCheck: p.PostureCheck,
 	}
 	for i, r := range p.Rules {
 		c.Rules[i] = r.Copy()
@@ -214,6 +219,21 @@ func (a *Account) getPeerConnectionResources(peerID string) ([]*nbpeer.Peer, []*
 			continue
 		}
 
+		// TODO: implement posture checks executions based on policy
+
+		peer, ok := a.Peers[peerID]
+		if !ok && peer == nil {
+			continue
+		}
+
+		if policy.PostureCheck.OSVersionCheck.Enabled {
+			err := policy.PostureCheck.OSVersionCheck.Check(*peer)
+			if err != nil {
+				log.Debugf(err.Error())
+				continue
+			}
+		}
+
 		for _, rule := range policy.Rules {
 			if !rule.Enabled {
 				continue

management/server/sqlite_store.go

@@ -15,6 +15,7 @@ import (
 
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/account"
+	"github.com/netbirdio/netbird/management/server/checks"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -63,7 +64,7 @@ func NewSqliteStore(dataDir string, metrics telemetry.AppMetrics) (*SqliteStore,
 	err = db.AutoMigrate(
 		&SetupKey{}, &nbpeer.Peer{}, &User{}, &PersonalAccessToken{}, &Group{}, &Rule{},
 		&Account{}, &Policy{}, &PolicyRule{}, &route.Route{}, &nbdns.NameServerGroup{},
-		&installation{}, &account.ExtraSettings{},
+		&installation{}, &account.ExtraSettings{}, &checks.PostureCheck{},
 	)
 	if err != nil {
 		return nil, err