Merge branch 'main' into refactor/wire-permissions-manager

# Conflicts: # go.mod # go.sum
2025-10-26 11:17:32 +00:00 · 2025-10-24 14:41:42 +02:00 · 2025-10-24 14:41:42 +02:00 · 8d19547acd
commit 8d19547acd
parent e8b747676e 709e24eb6f
19 changed files with 287 additions and 51 deletions
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@ -307,8 +307,14 @@ func getStatusOutput(cmd *cobra.Command, anon bool) string {
 	if err != nil {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
+		pm := profilemanager.NewProfileManager()
+		var profName string
+		if activeProf, err := pm.GetActiveProfile(); err == nil {
+			profName = activeProf.Name
+		}
+
 		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", ""),
+			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", profName),
 		)
 	}
 	return statusOutputString
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@ -47,7 +47,7 @@ nftables.txt: Anonymized nftables rules with packet counters, if --system-info f
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
-state.json: Anonymized client state dump containing netbird states.
+state.json: Anonymized client state dump containing netbird states for the active profile.
 mutex.prof: Mutex profiling information.
 goroutine.prof: Goroutine profiling information.
 block.prof: Block profiling information.
@ -564,6 +564,8 @@ func (g *BundleGenerator) addStateFile() error {
 		return nil
 	}

+	log.Debugf("Adding state file from: %s", path)
+
 	data, err := os.ReadFile(path)
 	if err != nil {
 		if errors.Is(err, fs.ErrNotExist) {
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@ -17,6 +17,7 @@ import (

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/client/internal/winregistry"
 )

 var (
@ -197,6 +198,10 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		matchDomains = append(matchDomains, "."+strings.TrimSuffix(dConf.Domain, "."))
 	}

+	if err := r.removeDNSMatchPolicies(); err != nil {
+		log.Errorf("cleanup old dns match policies: %s", err)
+	}
+
 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
 		if err != nil {
@ -204,9 +209,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		}
 		r.nrptEntryCount = count
 	} else {
-		if err := r.removeDNSMatchPolicies(); err != nil {
-			return fmt.Errorf("remove dns match policies: %w", err)
-		}
 		r.nrptEntryCount = 0
 	}

@ -273,9 +275,9 @@ func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []s
 		return fmt.Errorf("remove existing dns policy: %w", err)
 	}

-	regKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
+	regKey, _, err := winregistry.CreateVolatileKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
 	if err != nil {
-		return fmt.Errorf("create registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
+		return fmt.Errorf("create volatile registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
 	}
 	defer closer(regKey)

--- a/client/internal/dns/host_windows_test.go
+++ b/client/internal/dns/host_windows_test.go
@ -0,0 +1,102 @@
+package dns
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sys/windows/registry"
+)
+
+// TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
+// when the number of match domains decreases between configuration changes.
+func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping registry integration test in short mode")
+	}
+
+	defer cleanupRegistryKeys(t)
+	cleanupRegistryKeys(t)
+
+	testIP := netip.MustParseAddr("100.64.0.1")
+
+	// Create a test interface registry key so updateSearchDomains doesn't fail
+	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
+	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
+	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
+	require.NoError(t, err, "Should create test interface registry key")
+	testKey.Close()
+	defer func() {
+		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
+	}()
+
+	cfg := &registryConfigurator{
+		guid: testGUID,
+		gpo:  false,
+	}
+
+	config5 := HostDNSConfig{
+		ServerIP: testIP,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+			{Domain: "domain3.com", MatchOnly: true},
+			{Domain: "domain4.com", MatchOnly: true},
+			{Domain: "domain5.com", MatchOnly: true},
+		},
+	}
+
+	err = cfg.applyDNSConfig(config5, nil)
+	require.NoError(t, err)
+
+	// Verify all 5 entries exist
+	for i := 0; i < 5; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.True(t, exists, "Entry %d should exist after first config", i)
+	}
+
+	config2 := HostDNSConfig{
+		ServerIP: testIP,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+		},
+	}
+
+	err = cfg.applyDNSConfig(config2, nil)
+	require.NoError(t, err)
+
+	// Verify first 2 entries exist
+	for i := 0; i < 2; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.True(t, exists, "Entry %d should exist after second config", i)
+	}
+
+	// Verify entries 2-4 are cleaned up
+	for i := 2; i < 5; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
+	}
+}
+
+func registryKeyExists(path string) (bool, error) {
+	k, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.QUERY_VALUE)
+	if err != nil {
+		if err == registry.ErrNotExist {
+			return false, nil
+		}
+		return false, err
+	}
+	k.Close()
+	return true, nil
+}
+
+func cleanupRegistryKeys(*testing.T) {
+	cfg := &registryConfigurator{nrptEntryCount: 10}
+	_ = cfg.removeDNSMatchPolicies()
+}
--- a/client/internal/winregistry/volatile_windows.go
+++ b/client/internal/winregistry/volatile_windows.go
@ -0,0 +1,59 @@
+package winregistry
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows/registry"
+)
+
+var (
+	advapi          = syscall.NewLazyDLL("advapi32.dll")
+	regCreateKeyExW = advapi.NewProc("RegCreateKeyExW")
+)
+
+const (
+	// Registry key options
+	regOptionNonVolatile = 0x0 // Key is preserved when system is rebooted
+	regOptionVolatile    = 0x1 // Key is not preserved when system is rebooted
+
+	// Registry disposition values
+	regCreatedNewKey     = 0x1
+	regOpenedExistingKey = 0x2
+)
+
+// CreateVolatileKey creates a volatile registry key named path under open key root.
+// CreateVolatileKey returns the new key and a boolean flag that reports whether the key already existed.
+// The access parameter specifies the access rights for the key to be created.
+//
+// Volatile keys are stored in memory and are automatically deleted when the system is shut down.
+// This provides automatic cleanup without requiring manual registry maintenance.
+func CreateVolatileKey(root registry.Key, path string, access uint32) (registry.Key, bool, error) {
+	pathPtr, err := syscall.UTF16PtrFromString(path)
+	if err != nil {
+		return 0, false, err
+	}
+
+	var (
+		handle      syscall.Handle
+		disposition uint32
+	)
+
+	ret, _, _ := regCreateKeyExW.Call(
+		uintptr(root),
+		uintptr(unsafe.Pointer(pathPtr)),
+		0,                          // reserved
+		0,                          // class
+		uintptr(regOptionVolatile), // options - volatile key
+		uintptr(access),            // desired access
+		0,                          // security attributes
+		uintptr(unsafe.Pointer(&handle)),
+		uintptr(unsafe.Pointer(&disposition)),
+	)
+
+	if ret != 0 {
+		return 0, false, syscall.Errno(ret)
+	}
+
+	return registry.Key(handle), disposition == regOpenedExistingKey, nil
+}
--- a/client/ui/debug.go
+++ b/client/ui/debug.go
@ -18,6 +18,7 @@ import (
 	"github.com/skratchdot/open-golang/open"

 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	uptypes "github.com/netbirdio/netbird/upload-server/types"
@ -426,6 +427,12 @@ func (s *serviceClient) collectDebugData(
 		return "", err
 	}

+	pm := profilemanager.NewProfileManager()
+	var profName string
+	if activeProf, err := pm.GetActiveProfile(); err == nil {
+		profName = activeProf.Name
+	}
+
 	postUpStatus, err := conn.Status(s.ctx, &proto.StatusRequest{GetFullPeerStatus: true})
 	if err != nil {
 		log.Warnf("Failed to get post-up status: %v", err)
@ -433,7 +440,7 @@ func (s *serviceClient) collectDebugData(

 	var postUpStatusOutput string
 	if postUpStatus != nil {
-		overview := nbstatus.ConvertToStatusOutputOverview(postUpStatus, params.anonymize, "", nil, nil, nil, "", "")
+		overview := nbstatus.ConvertToStatusOutputOverview(postUpStatus, params.anonymize, "", nil, nil, nil, "", profName)
 		postUpStatusOutput = nbstatus.ParseToFullDetailSummary(overview)
 	}
 	headerPostUp := fmt.Sprintf("----- NetBird post-up - Timestamp: %s", time.Now().Format(time.RFC3339))
@ -450,7 +457,7 @@ func (s *serviceClient) collectDebugData(

 	var preDownStatusOutput string
 	if preDownStatus != nil {
-		overview := nbstatus.ConvertToStatusOutputOverview(preDownStatus, params.anonymize, "", nil, nil, nil, "", "")
+		overview := nbstatus.ConvertToStatusOutputOverview(preDownStatus, params.anonymize, "", nil, nil, nil, "", profName)
 		preDownStatusOutput = nbstatus.ParseToFullDetailSummary(overview)
 	}
 	headerPreDown := fmt.Sprintf("----- NetBird pre-down - Timestamp: %s - Duration: %s",
@ -574,6 +581,12 @@ func (s *serviceClient) createDebugBundle(anonymize bool, systemInfo bool, uploa
 		return nil, fmt.Errorf("get client: %v", err)
 	}

+	pm := profilemanager.NewProfileManager()
+	var profName string
+	if activeProf, err := pm.GetActiveProfile(); err == nil {
+		profName = activeProf.Name
+	}
+
 	statusResp, err := conn.Status(s.ctx, &proto.StatusRequest{GetFullPeerStatus: true})
 	if err != nil {
 		log.Warnf("failed to get status for debug bundle: %v", err)
@ -581,7 +594,7 @@ func (s *serviceClient) createDebugBundle(anonymize bool, systemInfo bool, uploa

 	var statusOutput string
 	if statusResp != nil {
-		overview := nbstatus.ConvertToStatusOutputOverview(statusResp, anonymize, "", nil, nil, nil, "", "")
+		overview := nbstatus.ConvertToStatusOutputOverview(statusResp, anonymize, "", nil, nil, nil, "", profName)
 		statusOutput = nbstatus.ParseToFullDetailSummary(overview)
 	}

--- a/go.mod
+++ b/go.mod
@ -62,7 +62,7 @@ require (
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20251020220640-8537921c9adc
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20251022080146-b1caade69396
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/oschwald/maxminddb-golang v1.12.0
--- a/go.sum
+++ b/go.sum
@ -503,8 +503,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20251020220640-8537921c9adc h1:5AAcrPG/+NajbBOZ+H8HTIlo20pOjtDX6BafmWVQLFs=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20251020220640-8537921c9adc/go.mod h1:ifKa2jGPsOzZhJFo72v2AE5nMP3GYvlhoZ9JV6lHlJ8=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20251022080146-b1caade69396 h1:aXHS63QWf0Z5fDN19Swl6npdJjGMyXthAvvgW7rbKJQ=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20251022080146-b1caade69396/go.mod h1:v0nUbbHbuQnqR7yKIYnKzsLBCswLtp2JctmKYmGgVhc=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@ -185,12 +185,15 @@ if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]; then
  echo "You are also free to remove any occurrences of the Letsencrypt-volume $LETSENCRYPT_VOLUMENAME"
  echo ""

-  export NETBIRD_SIGNAL_PROTOCOL="https"
  unset NETBIRD_LETSENCRYPT_DOMAIN
  unset NETBIRD_MGMT_API_CERT_FILE
  unset NETBIRD_MGMT_API_CERT_KEY_FILE
 fi

+if [[ -n "$NETBIRD_MGMT_API_CERT_FILE" && -n "$NETBIRD_MGMT_API_CERT_KEY_FILE" ]]; then
+  export NETBIRD_SIGNAL_PROTOCOL="https"
+fi
+
 # Check if management identity provider is set
 if [ -n "$NETBIRD_MGMT_IDP" ]; then
  EXTRA_CONFIG={}
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@ -40,13 +40,21 @@ services:
  signal:
    <<: *default
    image: netbirdio/signal:$NETBIRD_SIGNAL_TAG
+    depends_on:
+          - dashboard
    volumes:
      - $SIGNAL_VOLUMENAME:/var/lib/netbird
+      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro
    ports:
      - $NETBIRD_SIGNAL_PORT:80
  #      # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
+    command: [
+      "--cert-file", "$NETBIRD_MGMT_API_CERT_FILE",
+      "--cert-key", "$NETBIRD_MGMT_API_CERT_KEY_FILE",
+      "--log-file", "console"
+    ]

  # Relay
  relay:
--- a/management/server/account/manager.go
+++ b/management/server/account/manager.go
@ -109,7 +109,7 @@ type Manager interface {
 	GetIdpManager() idp.Manager
 	UpdateIntegratedValidator(ctx context.Context, accountID, userID, validator string, groups []string) error
 	GroupValidation(ctx context.Context, accountId string, groups []string) (bool, error)
-	GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, error)
+	GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error)
 	SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
 	OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string) error
 	SyncPeerMeta(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error
--- a/management/server/http/handlers/peers/peers_handler.go
+++ b/management/server/http/handlers/peers/peers_handler.go
@ -78,7 +78,7 @@ func (h *Handler) getPeer(ctx context.Context, accountID, peerID, userID string,
 	grps, _ := h.accountManager.GetPeerGroups(ctx, accountID, peerID)
 	grpsInfoMap := groups.ToGroupsInfoMap(grps, 0)

-	validPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
+	validPeers, invalidPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to list approved peers: %v", err)
 		util.WriteError(ctx, fmt.Errorf("internal error"), w)
@ -86,7 +86,9 @@ func (h *Handler) getPeer(ctx context.Context, accountID, peerID, userID string,
 	}

 	_, valid := validPeers[peer.ID]
-	util.WriteJSONObject(ctx, w, toSinglePeerResponse(peerToReturn, grpsInfoMap[peerID], dnsDomain, valid))
+	reason := invalidPeers[peer.ID]
+
+	util.WriteJSONObject(ctx, w, toSinglePeerResponse(peerToReturn, grpsInfoMap[peerID], dnsDomain, valid, reason))
 }

 func (h *Handler) updatePeer(ctx context.Context, accountID, userID, peerID string, w http.ResponseWriter, r *http.Request) {
@ -147,16 +149,17 @@ func (h *Handler) updatePeer(ctx context.Context, accountID, userID, peerID stri

 	grpsInfoMap := groups.ToGroupsInfoMap(peerGroups, 0)

-	validPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
+	validPeers, invalidPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
 	if err != nil {
-		log.WithContext(ctx).Errorf("failed to list appreoved peers: %v", err)
+		log.WithContext(ctx).Errorf("failed to get validated peers: %v", err)
 		util.WriteError(ctx, fmt.Errorf("internal error"), w)
 		return
 	}

 	_, valid := validPeers[peer.ID]
+	reason := invalidPeers[peer.ID]

-	util.WriteJSONObject(r.Context(), w, toSinglePeerResponse(peer, grpsInfoMap[peerID], dnsDomain, valid))
+	util.WriteJSONObject(r.Context(), w, toSinglePeerResponse(peer, grpsInfoMap[peerID], dnsDomain, valid, reason))
 }

 func (h *Handler) deletePeer(ctx context.Context, accountID, userID string, peerID string, w http.ResponseWriter) {
@ -240,22 +243,25 @@ func (h *Handler) GetAllPeers(w http.ResponseWriter, r *http.Request) {
 		respBody = append(respBody, toPeerListItemResponse(peerToReturn, grpsInfoMap[peer.ID], dnsDomain, 0))
 	}

-	validPeersMap, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
+	validPeersMap, invalidPeersMap, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
 	if err != nil {
-		log.WithContext(r.Context()).Errorf("failed to list appreoved peers: %v", err)
+		log.WithContext(r.Context()).Errorf("failed to get validated peers: %v", err)
 		util.WriteError(r.Context(), fmt.Errorf("internal error"), w)
 		return
 	}
-	h.setApprovalRequiredFlag(respBody, validPeersMap)
+	h.setApprovalRequiredFlag(respBody, validPeersMap, invalidPeersMap)

 	util.WriteJSONObject(r.Context(), w, respBody)
 }

-func (h *Handler) setApprovalRequiredFlag(respBody []*api.PeerBatch, approvedPeersMap map[string]struct{}) {
+func (h *Handler) setApprovalRequiredFlag(respBody []*api.PeerBatch, validPeersMap map[string]struct{}, invalidPeersMap map[string]string) {
 	for _, peer := range respBody {
-		_, ok := approvedPeersMap[peer.Id]
+		_, ok := validPeersMap[peer.Id]
 		if !ok {
 			peer.ApprovalRequired = true
+
+			reason := invalidPeersMap[peer.Id]
+			peer.DisapprovalReason = &reason
 		}
 	}
 }
@ -304,7 +310,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	validPeers, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
+	validPeers, _, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
 	if err != nil {
 		log.WithContext(r.Context()).Errorf("failed to list approved peers: %v", err)
 		util.WriteError(r.Context(), fmt.Errorf("internal error"), w)
@ -430,13 +436,13 @@ func peerToAccessiblePeer(peer *nbpeer.Peer, dnsDomain string) api.AccessiblePee
 	}
 }

-func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, approved bool) *api.Peer {
+func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, approved bool, reason string) *api.Peer {
 	osVersion := peer.Meta.OSVersion
 	if osVersion == "" {
 		osVersion = peer.Meta.Core
 	}

-	return &api.Peer{
+	apiPeer := &api.Peer{
 		CreatedAt:                   peer.CreatedAt,
 		Id:                          peer.ID,
 		Name:                        peer.Name,
@ -465,6 +471,12 @@ func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsD
 		InactivityExpirationEnabled: peer.InactivityExpirationEnabled,
 		Ephemeral:                   peer.Ephemeral,
 	}
+
+	if !approved {
+		apiPeer.DisapprovalReason = &reason
+	}
+
+	return apiPeer
 }

 func toPeerListItemResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, accessiblePeersCount int) *api.PeerBatch {
--- a/management/server/integrated_validator.go
+++ b/management/server/integrated_validator.go
@ -88,7 +88,7 @@ func (am *DefaultAccountManager) GroupValidation(ctx context.Context, accountID
 	return true, nil
 }

-func (am *DefaultAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, error) {
+func (am *DefaultAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error) {
 	var err error
 	var groups []*types.Group
 	var peers []*nbpeer.Peer
@ -96,20 +96,30 @@ func (am *DefaultAccountManager) GetValidatedPeers(ctx context.Context, accountI

 	groups, err = am.Store.GetAccountGroups(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	peers, err = am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, "", "")
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	settings, err = am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

-	return am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, groups, peers, settings.Extra)
+	validPeers, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, groups, peers, settings.Extra)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	invalidPeers, err := am.integratedPeerValidator.GetInvalidPeers(ctx, accountID, settings.Extra)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return validPeers, invalidPeers, nil
 }

 type MockIntegratedValidator struct {
@ -136,6 +146,10 @@ func (a MockIntegratedValidator) GetValidatedPeers(_ context.Context, accountID
 	return validatedPeers, nil
 }

+func (a MockIntegratedValidator) GetInvalidPeers(_ context.Context, accountID string, extraSettings *types.ExtraSettings) (map[string]string, error) {
+	return make(map[string]string), nil
+}
+
 func (MockIntegratedValidator) PreparePeer(_ context.Context, accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *types.ExtraSettings, temporary bool) *nbpeer.Peer {
 	return peer
 }
--- a/management/server/integrations/integrated_validator/interface.go
+++ b/management/server/integrations/integrated_validator/interface.go
@ -15,6 +15,7 @@ type IntegratedValidator interface {
 	PreparePeer(ctx context.Context, accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *types.ExtraSettings, temporary bool) *nbpeer.Peer
 	IsNotValidPeer(ctx context.Context, accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *types.ExtraSettings) (bool, bool, error)
 	GetValidatedPeers(ctx context.Context, accountID string, groups []*types.Group, peers []*nbpeer.Peer, extraSettings *types.ExtraSettings) (map[string]struct{}, error)
+	GetInvalidPeers(ctx context.Context, accountID string, extraSettings *types.ExtraSettings) (map[string]string, error)
 	PeerDeleted(ctx context.Context, accountID, peerID string, extraSettings *types.ExtraSettings) error
 	SetPeerInvalidationListener(fn func(accountID string, peerIDs []string))
 	Stop(ctx context.Context)
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@ -189,17 +189,17 @@ func (am *MockAccountManager) OnPeerDisconnected(_ context.Context, accountID st
 	panic("implement me")
 }

-func (am *MockAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, error) {
+func (am *MockAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error) {
 	account, err := am.GetAccountFunc(ctx, accountID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	approvedPeers := make(map[string]struct{})
 	for id := range account.Peers {
 		approvedPeers[id] = struct{}{}
 	}
-	return approvedPeers, nil
+	return approvedPeers, nil, nil
 }

 // GetGroup mock implementation of GetGroup from server.AccountManager interface
--- a/release_files/install.sh
+++ b/release_files/install.sh
@ -29,6 +29,8 @@ if [ -z ${NETBIRD_RELEASE+x} ]; then
    NETBIRD_RELEASE=latest
 fi

+TAG_NAME=""
+
 get_release() {
    local RELEASE=$1
    if [ "$RELEASE" = "latest" ]; then
@ -38,17 +40,19 @@ get_release() {
        local TAG="tags/${RELEASE}"
        local URL="https://api.github.com/repos/${OWNER}/${REPO}/releases/${TAG}"
    fi
+	OUTPUT=""
    if [ -n "$GITHUB_TOKEN" ]; then
-          curl -H  "Authorization: token ${GITHUB_TOKEN}" -s "${URL}" \
-              | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/'
+          OUTPUT=$(curl -H  "Authorization: token ${GITHUB_TOKEN}" -s "${URL}")
    else
-          curl -s "${URL}" \
-              | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/'
+          OUTPUT=$(curl -s "${URL}") 
    fi
+	TAG_NAME=$(echo ${OUTPUT} |  grep -Eo '\"tag_name\":\s*\"v([0-9]+\.){2}[0-9]+"' | tail -n 1)
+	echo "${TAG_NAME}" | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+'
 }

 download_release_binary() {
    VERSION=$(get_release "$NETBIRD_RELEASE")
+	echo "Using the following tag name for binary installation: ${TAG_NAME}"
    BASE_URL="https://github.com/${OWNER}/${REPO}/releases/download"
    BINARY_BASE_NAME="${VERSION#v}_${OS_TYPE}_${ARCH}.tar.gz"

--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@ -463,6 +463,9 @@ components:
              description: (Cloud only) Indicates whether peer needs approval
              type: boolean
              example: true
+            disapproval_reason:
+              description: (Cloud only) Reason why the peer requires approval
+              type: string
            country_code:
              $ref: '#/components/schemas/CountryCode'
            city_name:
--- a/shared/management/http/api/types.gen.go
+++ b/shared/management/http/api/types.gen.go
@ -1037,6 +1037,9 @@ type Peer struct {
 	// CreatedAt Peer creation date (UTC)
 	CreatedAt time.Time `json:"created_at"`

+	// DisapprovalReason (Cloud only) Reason why the peer requires approval
+	DisapprovalReason *string `json:"disapproval_reason,omitempty"`
+
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`

@ -1124,6 +1127,9 @@ type PeerBatch struct {
 	// CreatedAt Peer creation date (UTC)
 	CreatedAt time.Time `json:"created_at"`

+	// DisapprovalReason (Cloud only) Reason why the peer requires approval
+	DisapprovalReason *string `json:"disapproval_reason,omitempty"`
+
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`

--- a/signal/cmd/run.go
+++ b/signal/cmd/run.go
@ -94,7 +94,7 @@ var (

 			startPprof()

-			opts, certManager, err := getTLSConfigurations()
+			opts, certManager, tlsConfig, err := getTLSConfigurations()
 			if err != nil {
 				return err
 			}
@ -132,7 +132,7 @@ var (

 			// Start the main server - always serve HTTP with WebSocket proxy support
 			// If certManager is configured and signalPort == 443, it's already handled by startServerWithCertManager
-			if certManager == nil {
+			if tlsConfig == nil {
 				// Without TLS, serve plain HTTP
 				httpListener, err = net.Listen("tcp", fmt.Sprintf(":%d", signalPort))
 				if err != nil {
@ -140,9 +140,10 @@ var (
 				}
 				log.Infof("running HTTP server with WebSocket proxy (no TLS): %s", httpListener.Addr().String())
 				serveHTTP(httpListener, grpcRootHandler)
-			} else if signalPort != 443 {
-				// With TLS but not on port 443, serve HTTPS
-				httpListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), certManager.TLSConfig())
+			} else if certManager == nil || signalPort != 443 {
+				// Serve HTTPS if not already handled by startServerWithCertManager
+				// (custom certificates or Let's Encrypt with custom port)
+				httpListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), tlsConfig)
 				if err != nil {
 					return err
 				}
@ -202,7 +203,7 @@ func startPprof() {
 	}()
 }

-func getTLSConfigurations() ([]grpc.ServerOption, *autocert.Manager, error) {
+func getTLSConfigurations() ([]grpc.ServerOption, *autocert.Manager, *tls.Config, error) {
 	var (
 		err         error
 		certManager *autocert.Manager
@ -211,33 +212,33 @@ func getTLSConfigurations() ([]grpc.ServerOption, *autocert.Manager, error) {

 	if signalLetsencryptDomain == "" && signalCertFile == "" && signalCertKey == "" {
 		log.Infof("running without TLS")
-		return nil, nil, nil
+		return nil, nil, nil, nil
 	}

 	if signalLetsencryptDomain != "" {
 		certManager, err = encryption.CreateCertManager(signalSSLDir, signalLetsencryptDomain)
 		if err != nil {
-			return nil, certManager, err
+			return nil, certManager, nil, err
 		}
 		tlsConfig = certManager.TLSConfig()
 		log.Infof("setting up TLS with LetsEncrypt.")
 	} else {
 		if signalCertFile == "" || signalCertKey == "" {
 			log.Errorf("both cert-file and cert-key must be provided when not using LetsEncrypt")
-			return nil, certManager, errors.New("both cert-file and cert-key must be provided when not using LetsEncrypt")
+			return nil, certManager, nil, errors.New("both cert-file and cert-key must be provided when not using LetsEncrypt")
 		}

 		tlsConfig, err = loadTLSConfig(signalCertFile, signalCertKey)
 		if err != nil {
 			log.Errorf("cannot load TLS credentials: %v", err)
-			return nil, certManager, err
+			return nil, certManager, nil, err
 		}
 		log.Infof("setting up TLS with custom certificates.")
 	}

 	transportCredentials := credentials.NewTLS(tlsConfig)

-	return []grpc.ServerOption{grpc.Creds(transportCredentials)}, certManager, err
+	return []grpc.ServerOption{grpc.Creds(transportCredentials)}, certManager, tlsConfig, err
 }

 func startServerWithCertManager(certManager *autocert.Manager, grpcRootHandler http.Handler) {