Merge branch 'main' into feat/auto-upgrade

2026-05-04 16:16:40 +00:00 · 2025-10-27 09:57:54 +01:00
parent 6eee52b56e 709e24eb6f
commit 030ddae51e
88 changed files with 2873 additions and 1084 deletions
--- a/management/server/account/manager.go
+++ b/management/server/account/manager.go
@@ -109,7 +109,7 @@ type Manager interface {
 	GetIdpManager() idp.Manager
 	UpdateIntegratedValidator(ctx context.Context, accountID, userID, validator string, groups []string) error
 	GroupValidation(ctx context.Context, accountId string, groups []string) (bool, error)
-	GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, error)
+	GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error)
 	SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
 	OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string) error
 	SyncPeerMeta(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error
--- a/management/server/http/handlers/peers/peers_handler.go
+++ b/management/server/http/handlers/peers/peers_handler.go
@@ -78,7 +78,7 @@ func (h *Handler) getPeer(ctx context.Context, accountID, peerID, userID string,
 	grps, _ := h.accountManager.GetPeerGroups(ctx, accountID, peerID)
 	grpsInfoMap := groups.ToGroupsInfoMap(grps, 0)

-	validPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
+	validPeers, invalidPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to list approved peers: %v", err)
 		util.WriteError(ctx, fmt.Errorf("internal error"), w)
@@ -86,7 +86,9 @@ func (h *Handler) getPeer(ctx context.Context, accountID, peerID, userID string,
 	}

 	_, valid := validPeers[peer.ID]
-	util.WriteJSONObject(ctx, w, toSinglePeerResponse(peerToReturn, grpsInfoMap[peerID], dnsDomain, valid))
+	reason := invalidPeers[peer.ID]
+
+	util.WriteJSONObject(ctx, w, toSinglePeerResponse(peerToReturn, grpsInfoMap[peerID], dnsDomain, valid, reason))
 }

 func (h *Handler) updatePeer(ctx context.Context, accountID, userID, peerID string, w http.ResponseWriter, r *http.Request) {
@@ -147,16 +149,17 @@ func (h *Handler) updatePeer(ctx context.Context, accountID, userID, peerID stri

 	grpsInfoMap := groups.ToGroupsInfoMap(peerGroups, 0)

-	validPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
+	validPeers, invalidPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
 	if err != nil {
-		log.WithContext(ctx).Errorf("failed to list appreoved peers: %v", err)
+		log.WithContext(ctx).Errorf("failed to get validated peers: %v", err)
 		util.WriteError(ctx, fmt.Errorf("internal error"), w)
 		return
 	}

 	_, valid := validPeers[peer.ID]
+	reason := invalidPeers[peer.ID]

-	util.WriteJSONObject(r.Context(), w, toSinglePeerResponse(peer, grpsInfoMap[peerID], dnsDomain, valid))
+	util.WriteJSONObject(r.Context(), w, toSinglePeerResponse(peer, grpsInfoMap[peerID], dnsDomain, valid, reason))
 }

 func (h *Handler) deletePeer(ctx context.Context, accountID, userID string, peerID string, w http.ResponseWriter) {
@@ -240,22 +243,25 @@ func (h *Handler) GetAllPeers(w http.ResponseWriter, r *http.Request) {
 		respBody = append(respBody, toPeerListItemResponse(peerToReturn, grpsInfoMap[peer.ID], dnsDomain, 0))
 	}

-	validPeersMap, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
+	validPeersMap, invalidPeersMap, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
 	if err != nil {
-		log.WithContext(r.Context()).Errorf("failed to list appreoved peers: %v", err)
+		log.WithContext(r.Context()).Errorf("failed to get validated peers: %v", err)
 		util.WriteError(r.Context(), fmt.Errorf("internal error"), w)
 		return
 	}
-	h.setApprovalRequiredFlag(respBody, validPeersMap)
+	h.setApprovalRequiredFlag(respBody, validPeersMap, invalidPeersMap)

 	util.WriteJSONObject(r.Context(), w, respBody)
 }

-func (h *Handler) setApprovalRequiredFlag(respBody []*api.PeerBatch, approvedPeersMap map[string]struct{}) {
+func (h *Handler) setApprovalRequiredFlag(respBody []*api.PeerBatch, validPeersMap map[string]struct{}, invalidPeersMap map[string]string) {
 	for _, peer := range respBody {
-		_, ok := approvedPeersMap[peer.Id]
+		_, ok := validPeersMap[peer.Id]
 		if !ok {
 			peer.ApprovalRequired = true
+
+			reason := invalidPeersMap[peer.Id]
+			peer.DisapprovalReason = &reason
 		}
 	}
 }
@@ -304,7 +310,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	validPeers, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
+	validPeers, _, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
 	if err != nil {
 		log.WithContext(r.Context()).Errorf("failed to list approved peers: %v", err)
 		util.WriteError(r.Context(), fmt.Errorf("internal error"), w)
@@ -430,13 +436,13 @@ func peerToAccessiblePeer(peer *nbpeer.Peer, dnsDomain string) api.AccessiblePee
 	}
 }

-func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, approved bool) *api.Peer {
+func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, approved bool, reason string) *api.Peer {
 	osVersion := peer.Meta.OSVersion
 	if osVersion == "" {
 		osVersion = peer.Meta.Core
 	}

-	return &api.Peer{
+	apiPeer := &api.Peer{
 		CreatedAt:                   peer.CreatedAt,
 		Id:                          peer.ID,
 		Name:                        peer.Name,
@@ -465,6 +471,12 @@ func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsD
 		InactivityExpirationEnabled: peer.InactivityExpirationEnabled,
 		Ephemeral:                   peer.Ephemeral,
 	}
+
+	if !approved {
+		apiPeer.DisapprovalReason = &reason
+	}
+
+	return apiPeer
 }

 func toPeerListItemResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, accessiblePeersCount int) *api.PeerBatch {
--- a/management/server/idp/auth0_test.go
+++ b/management/server/idp/auth0_test.go
@@ -26,9 +26,11 @@ type mockHTTPClient struct {
 }

 func (c *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
-	body, err := io.ReadAll(req.Body)
-	if err == nil {
-		c.reqBody = string(body)
+	if req.Body != nil {
+		body, err := io.ReadAll(req.Body)
+		if err == nil {
+			c.reqBody = string(body)
+		}
 	}
 	return &http.Response{
 		StatusCode: c.code,
--- a/management/server/idp/idp.go
+++ b/management/server/idp/idp.go
@@ -201,6 +201,12 @@ func NewManager(ctx context.Context, config Config, appMetrics telemetry.AppMetr
 			APIToken: config.ExtraConfig["ApiToken"],
 		}
 		return NewJumpCloudManager(jumpcloudConfig, appMetrics)
+	case "pocketid":
+		pocketidConfig := PocketIdClientConfig{
+			APIToken:           config.ExtraConfig["ApiToken"],
+			ManagementEndpoint: config.ExtraConfig["ManagementEndpoint"],
+		}
+		return NewPocketIdManager(pocketidConfig, appMetrics)
 	default:
 		return nil, fmt.Errorf("invalid manager type: %s", config.ManagerType)
 	}
--- a/management/server/idp/pocketid.go
+++ b/management/server/idp/pocketid.go
@@ -0,0 +1,384 @@
+package idp
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/netbirdio/netbird/management/server/telemetry"
+)
+
+type PocketIdManager struct {
+	managementEndpoint string
+	apiToken           string
+	httpClient         ManagerHTTPClient
+	credentials        ManagerCredentials
+	helper             ManagerHelper
+	appMetrics         telemetry.AppMetrics
+}
+
+type pocketIdCustomClaimDto struct {
+	Key   string `json:"key"`
+	Value string `json:"value"`
+}
+
+type pocketIdUserDto struct {
+	CustomClaims []pocketIdCustomClaimDto `json:"customClaims"`
+	Disabled     bool                     `json:"disabled"`
+	DisplayName  string                   `json:"displayName"`
+	Email        string                   `json:"email"`
+	FirstName    string                   `json:"firstName"`
+	ID           string                   `json:"id"`
+	IsAdmin      bool                     `json:"isAdmin"`
+	LastName     string                   `json:"lastName"`
+	LdapID       string                   `json:"ldapId"`
+	Locale       string                   `json:"locale"`
+	UserGroups   []pocketIdUserGroupDto   `json:"userGroups"`
+	Username     string                   `json:"username"`
+}
+
+type pocketIdUserCreateDto struct {
+	Disabled    bool   `json:"disabled,omitempty"`
+	DisplayName string `json:"displayName"`
+	Email       string `json:"email"`
+	FirstName   string `json:"firstName"`
+	IsAdmin     bool   `json:"isAdmin,omitempty"`
+	LastName    string `json:"lastName,omitempty"`
+	Locale      string `json:"locale,omitempty"`
+	Username    string `json:"username"`
+}
+
+type pocketIdPaginatedUserDto struct {
+	Data       []pocketIdUserDto     `json:"data"`
+	Pagination pocketIdPaginationDto `json:"pagination"`
+}
+
+type pocketIdPaginationDto struct {
+	CurrentPage  int `json:"currentPage"`
+	ItemsPerPage int `json:"itemsPerPage"`
+	TotalItems   int `json:"totalItems"`
+	TotalPages   int `json:"totalPages"`
+}
+
+func (p *pocketIdUserDto) userData() *UserData {
+	return &UserData{
+		Email:       p.Email,
+		Name:        p.DisplayName,
+		ID:          p.ID,
+		AppMetadata: AppMetadata{},
+	}
+}
+
+type pocketIdUserGroupDto struct {
+	CreatedAt    string                   `json:"createdAt"`
+	CustomClaims []pocketIdCustomClaimDto `json:"customClaims"`
+	FriendlyName string                   `json:"friendlyName"`
+	ID           string                   `json:"id"`
+	LdapID       string                   `json:"ldapId"`
+	Name         string                   `json:"name"`
+}
+
+func NewPocketIdManager(config PocketIdClientConfig, appMetrics telemetry.AppMetrics) (*PocketIdManager, error) {
+	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
+	httpTransport.MaxIdleConns = 5
+
+	httpClient := &http.Client{
+		Timeout:   10 * time.Second,
+		Transport: httpTransport,
+	}
+	helper := JsonParser{}
+
+	if config.ManagementEndpoint == "" {
+		return nil, fmt.Errorf("pocketId IdP configuration is incomplete, ManagementEndpoint is missing")
+	}
+
+	if config.APIToken == "" {
+		return nil, fmt.Errorf("pocketId IdP configuration is incomplete, APIToken is missing")
+	}
+
+	credentials := &PocketIdCredentials{
+		clientConfig: config,
+		httpClient:   httpClient,
+		helper:       helper,
+		appMetrics:   appMetrics,
+	}
+
+	return &PocketIdManager{
+		managementEndpoint: config.ManagementEndpoint,
+		apiToken:           config.APIToken,
+		httpClient:         httpClient,
+		credentials:        credentials,
+		helper:             helper,
+		appMetrics:         appMetrics,
+	}, nil
+}
+
+func (p *PocketIdManager) request(ctx context.Context, method, resource string, query *url.Values, body string) ([]byte, error) {
+	var MethodsWithBody = []string{http.MethodPost, http.MethodPut}
+	if !slices.Contains(MethodsWithBody, method) && body != "" {
+		return nil, fmt.Errorf("Body provided to unsupported method: %s", method)
+	}
+
+	reqURL := fmt.Sprintf("%s/api/%s", p.managementEndpoint, resource)
+	if query != nil {
+		reqURL = fmt.Sprintf("%s?%s", reqURL, query.Encode())
+	}
+	var req *http.Request
+	var err error
+	if body != "" {
+		req, err = http.NewRequestWithContext(ctx, method, reqURL, strings.NewReader(body))
+	} else {
+		req, err = http.NewRequestWithContext(ctx, method, reqURL, nil)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Add("X-API-KEY", p.apiToken)
+
+	if body != "" {
+		req.Header.Add("content-type", "application/json")
+		req.Header.Add("content-length", fmt.Sprintf("%d", req.ContentLength))
+	}
+
+	resp, err := p.httpClient.Do(req)
+	if err != nil {
+		if p.appMetrics != nil {
+			p.appMetrics.IDPMetrics().CountRequestError()
+		}
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusCreated {
+		if p.appMetrics != nil {
+			p.appMetrics.IDPMetrics().CountRequestStatusError()
+		}
+
+		return nil, fmt.Errorf("received unexpected status code from PocketID API: %d", resp.StatusCode)
+	}
+
+	return io.ReadAll(resp.Body)
+}
+
+// getAllUsersPaginated fetches all users from PocketID API using pagination
+func (p *PocketIdManager) getAllUsersPaginated(ctx context.Context, searchParams url.Values) ([]pocketIdUserDto, error) {
+	var allUsers []pocketIdUserDto
+	currentPage := 1
+
+	for {
+		params := url.Values{}
+		// Copy existing search parameters
+		for key, values := range searchParams {
+			params[key] = values
+		}
+
+		params.Set("pagination[limit]", "100")
+		params.Set("pagination[page]", fmt.Sprintf("%d", currentPage))
+
+		body, err := p.request(ctx, http.MethodGet, "users", &params, "")
+		if err != nil {
+			return nil, err
+		}
+
+		var profiles pocketIdPaginatedUserDto
+		err = p.helper.Unmarshal(body, &profiles)
+		if err != nil {
+			return nil, err
+		}
+
+		allUsers = append(allUsers, profiles.Data...)
+
+		// Check if we've reached the last page
+		if currentPage >= profiles.Pagination.TotalPages {
+			break
+		}
+
+		currentPage++
+	}
+
+	return allUsers, nil
+}
+
+func (p *PocketIdManager) UpdateUserAppMetadata(_ context.Context, _ string, _ AppMetadata) error {
+	return nil
+}
+
+func (p *PocketIdManager) GetUserDataByID(ctx context.Context, userId string, appMetadata AppMetadata) (*UserData, error) {
+	body, err := p.request(ctx, http.MethodGet, "users/"+userId, nil, "")
+	if err != nil {
+		return nil, err
+	}
+
+	if p.appMetrics != nil {
+		p.appMetrics.IDPMetrics().CountGetUserDataByID()
+	}
+
+	var user pocketIdUserDto
+	err = p.helper.Unmarshal(body, &user)
+	if err != nil {
+		return nil, err
+	}
+
+	userData := user.userData()
+	userData.AppMetadata = appMetadata
+
+	return userData, nil
+}
+
+func (p *PocketIdManager) GetAccount(ctx context.Context, accountId string) ([]*UserData, error) {
+	// Get all users using pagination
+	allUsers, err := p.getAllUsersPaginated(ctx, url.Values{})
+	if err != nil {
+		return nil, err
+	}
+
+	if p.appMetrics != nil {
+		p.appMetrics.IDPMetrics().CountGetAccount()
+	}
+
+	users := make([]*UserData, 0)
+	for _, profile := range allUsers {
+		userData := profile.userData()
+		userData.AppMetadata.WTAccountID = accountId
+
+		users = append(users, userData)
+	}
+	return users, nil
+}
+
+func (p *PocketIdManager) GetAllAccounts(ctx context.Context) (map[string][]*UserData, error) {
+	// Get all users using pagination
+	allUsers, err := p.getAllUsersPaginated(ctx, url.Values{})
+	if err != nil {
+		return nil, err
+	}
+
+	if p.appMetrics != nil {
+		p.appMetrics.IDPMetrics().CountGetAllAccounts()
+	}
+
+	indexedUsers := make(map[string][]*UserData)
+	for _, profile := range allUsers {
+		userData := profile.userData()
+		indexedUsers[UnsetAccountID] = append(indexedUsers[UnsetAccountID], userData)
+	}
+
+	return indexedUsers, nil
+}
+
+func (p *PocketIdManager) CreateUser(ctx context.Context, email, name, accountID, invitedByEmail string) (*UserData, error) {
+	firstLast := strings.Split(name, " ")
+
+	createUser := pocketIdUserCreateDto{
+		Disabled:    false,
+		DisplayName: name,
+		Email:       email,
+		FirstName:   firstLast[0],
+		LastName:    firstLast[1],
+		Username:    firstLast[0] + "." + firstLast[1],
+	}
+	payload, err := p.helper.Marshal(createUser)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := p.request(ctx, http.MethodPost, "users", nil, string(payload))
+	if err != nil {
+		return nil, err
+	}
+	var newUser pocketIdUserDto
+	err = p.helper.Unmarshal(body, &newUser)
+	if err != nil {
+		return nil, err
+	}
+
+	if p.appMetrics != nil {
+		p.appMetrics.IDPMetrics().CountCreateUser()
+	}
+	var pending bool = true
+	ret := &UserData{
+		Email: email,
+		Name:  name,
+		ID:    newUser.ID,
+		AppMetadata: AppMetadata{
+			WTAccountID:     accountID,
+			WTPendingInvite: &pending,
+			WTInvitedBy:     invitedByEmail,
+		},
+	}
+	return ret, nil
+}
+
+func (p *PocketIdManager) GetUserByEmail(ctx context.Context, email string) ([]*UserData, error) {
+	params := url.Values{
+		// This value a
+		"search": []string{email},
+	}
+	body, err := p.request(ctx, http.MethodGet, "users", &params, "")
+	if err != nil {
+		return nil, err
+	}
+
+	if p.appMetrics != nil {
+		p.appMetrics.IDPMetrics().CountGetUserByEmail()
+	}
+
+	var profiles struct{ data []pocketIdUserDto }
+	err = p.helper.Unmarshal(body, &profiles)
+	if err != nil {
+		return nil, err
+	}
+
+	users := make([]*UserData, 0)
+	for _, profile := range profiles.data {
+		users = append(users, profile.userData())
+	}
+	return users, nil
+}
+
+func (p *PocketIdManager) InviteUserByID(ctx context.Context, userID string) error {
+	_, err := p.request(ctx, http.MethodPut, "users/"+userID+"/one-time-access-email", nil, "")
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (p *PocketIdManager) DeleteUser(ctx context.Context, userID string) error {
+	_, err := p.request(ctx, http.MethodDelete, "users/"+userID, nil, "")
+	if err != nil {
+		return err
+	}
+
+	if p.appMetrics != nil {
+		p.appMetrics.IDPMetrics().CountDeleteUser()
+	}
+
+	return nil
+}
+
+var _ Manager = (*PocketIdManager)(nil)
+
+type PocketIdClientConfig struct {
+	APIToken           string
+	ManagementEndpoint string
+}
+
+type PocketIdCredentials struct {
+	clientConfig PocketIdClientConfig
+	helper       ManagerHelper
+	httpClient   ManagerHTTPClient
+	appMetrics   telemetry.AppMetrics
+}
+
+var _ ManagerCredentials = (*PocketIdCredentials)(nil)
+
+func (p PocketIdCredentials) Authenticate(_ context.Context) (JWTToken, error) {
+	return JWTToken{}, nil
+}
--- a/management/server/idp/pocketid_test.go
+++ b/management/server/idp/pocketid_test.go
@@ -0,0 +1,138 @@
+package idp
+
+import (
+    "context"
+    "testing"
+
+    "github.com/stretchr/testify/assert"
+    "github.com/stretchr/testify/require"
+
+    "github.com/netbirdio/netbird/management/server/telemetry"
+)
+
+
+func TestNewPocketIdManager(t *testing.T) {
+    type test struct {
+        name                 string
+        inputConfig          PocketIdClientConfig
+        assertErrFunc        require.ErrorAssertionFunc
+        assertErrFuncMessage string
+    }
+
+    defaultTestConfig := PocketIdClientConfig{
+        APIToken:           "api_token",
+        ManagementEndpoint: "http://localhost",
+    }
+
+    tests := []test{
+        {
+            name:                 "Good Configuration",
+            inputConfig:          defaultTestConfig,
+            assertErrFunc:        require.NoError,
+            assertErrFuncMessage: "shouldn't return error",
+        },
+        {
+            name: "Missing ManagementEndpoint",
+            inputConfig: PocketIdClientConfig{
+                APIToken:           defaultTestConfig.APIToken,
+                ManagementEndpoint: "",
+            },
+            assertErrFunc:        require.Error,
+            assertErrFuncMessage: "should return error when field empty",
+        },
+        {
+            name: "Missing APIToken",
+            inputConfig: PocketIdClientConfig{
+                APIToken:           "",
+                ManagementEndpoint: defaultTestConfig.ManagementEndpoint,
+            },
+            assertErrFunc:        require.Error,
+            assertErrFuncMessage: "should return error when field empty",
+        },
+    }
+
+    for _, tc := range tests {
+        t.Run(tc.name, func(t *testing.T) {
+            _, err := NewPocketIdManager(tc.inputConfig, &telemetry.MockAppMetrics{})
+            tc.assertErrFunc(t, err, tc.assertErrFuncMessage)
+        })
+    }
+}
+
+func TestPocketID_GetUserDataByID(t *testing.T) {
+    client := &mockHTTPClient{code: 200, resBody: `{"id":"u1","email":"user1@example.com","displayName":"User One"}`}
+
+    mgr, err := NewPocketIdManager(PocketIdClientConfig{APIToken: "tok", ManagementEndpoint: "http://localhost"}, nil)
+    require.NoError(t, err)
+    mgr.httpClient = client
+
+    md := AppMetadata{WTAccountID: "acc1"}
+    got, err := mgr.GetUserDataByID(context.Background(), "u1", md)
+    require.NoError(t, err)
+    assert.Equal(t, "u1", got.ID)
+    assert.Equal(t, "user1@example.com", got.Email)
+    assert.Equal(t, "User One", got.Name)
+    assert.Equal(t, "acc1", got.AppMetadata.WTAccountID)
+}
+
+func TestPocketID_GetAccount_WithPagination(t *testing.T) {
+    // Single page response with two users
+    client := &mockHTTPClient{code: 200, resBody: `{"data":[{"id":"u1","email":"e1","displayName":"n1"},{"id":"u2","email":"e2","displayName":"n2"}],"pagination":{"currentPage":1,"itemsPerPage":100,"totalItems":2,"totalPages":1}}`}
+
+    mgr, err := NewPocketIdManager(PocketIdClientConfig{APIToken: "tok", ManagementEndpoint: "http://localhost"}, nil)
+    require.NoError(t, err)
+    mgr.httpClient = client
+
+    users, err := mgr.GetAccount(context.Background(), "accX")
+    require.NoError(t, err)
+    require.Len(t, users, 2)
+    assert.Equal(t, "u1", users[0].ID)
+    assert.Equal(t, "accX", users[0].AppMetadata.WTAccountID)
+    assert.Equal(t, "u2", users[1].ID)
+}
+
+func TestPocketID_GetAllAccounts_WithPagination(t *testing.T) {
+    client := &mockHTTPClient{code: 200, resBody: `{"data":[{"id":"u1","email":"e1","displayName":"n1"},{"id":"u2","email":"e2","displayName":"n2"}],"pagination":{"currentPage":1,"itemsPerPage":100,"totalItems":2,"totalPages":1}}`}
+
+    mgr, err := NewPocketIdManager(PocketIdClientConfig{APIToken: "tok", ManagementEndpoint: "http://localhost"}, nil)
+    require.NoError(t, err)
+    mgr.httpClient = client
+
+    accounts, err := mgr.GetAllAccounts(context.Background())
+    require.NoError(t, err)
+    require.Len(t, accounts[UnsetAccountID], 2)
+}
+
+func TestPocketID_CreateUser(t *testing.T) {
+    client := &mockHTTPClient{code: 201, resBody: `{"id":"newid","email":"new@example.com","displayName":"New User"}`}
+
+    mgr, err := NewPocketIdManager(PocketIdClientConfig{APIToken: "tok", ManagementEndpoint: "http://localhost"}, nil)
+    require.NoError(t, err)
+    mgr.httpClient = client
+
+    ud, err := mgr.CreateUser(context.Background(), "new@example.com", "New User", "acc1", "inviter@example.com")
+    require.NoError(t, err)
+    assert.Equal(t, "newid", ud.ID)
+    assert.Equal(t, "new@example.com", ud.Email)
+    assert.Equal(t, "New User", ud.Name)
+    assert.Equal(t, "acc1", ud.AppMetadata.WTAccountID)
+    if assert.NotNil(t, ud.AppMetadata.WTPendingInvite) {
+        assert.True(t, *ud.AppMetadata.WTPendingInvite)
+    }
+    assert.Equal(t, "inviter@example.com", ud.AppMetadata.WTInvitedBy)
+}
+
+func TestPocketID_InviteAndDeleteUser(t *testing.T) {
+    // Same mock for both calls; returns OK with empty JSON
+    client := &mockHTTPClient{code: 200, resBody: `{}`}
+
+    mgr, err := NewPocketIdManager(PocketIdClientConfig{APIToken: "tok", ManagementEndpoint: "http://localhost"}, nil)
+    require.NoError(t, err)
+    mgr.httpClient = client
+
+    err = mgr.InviteUserByID(context.Background(), "u1")
+    require.NoError(t, err)
+
+    err = mgr.DeleteUser(context.Background(), "u1")
+    require.NoError(t, err)
+}
--- a/management/server/integrated_validator.go
+++ b/management/server/integrated_validator.go
@@ -88,7 +88,7 @@ func (am *DefaultAccountManager) GroupValidation(ctx context.Context, accountID
 	return true, nil
 }

-func (am *DefaultAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, error) {
+func (am *DefaultAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error) {
 	var err error
 	var groups []*types.Group
 	var peers []*nbpeer.Peer
@@ -96,20 +96,30 @@ func (am *DefaultAccountManager) GetValidatedPeers(ctx context.Context, accountI

 	groups, err = am.Store.GetAccountGroups(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	peers, err = am.Store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, "", "")
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	settings, err = am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

-	return am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, groups, peers, settings.Extra)
+	validPeers, err := am.integratedPeerValidator.GetValidatedPeers(ctx, accountID, groups, peers, settings.Extra)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	invalidPeers, err := am.integratedPeerValidator.GetInvalidPeers(ctx, accountID, settings.Extra)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return validPeers, invalidPeers, nil
 }

 type MockIntegratedValidator struct {
@@ -136,7 +146,11 @@ func (a MockIntegratedValidator) GetValidatedPeers(_ context.Context, accountID
 	return validatedPeers, nil
 }

-func (MockIntegratedValidator) PreparePeer(_ context.Context, accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *types.ExtraSettings) *nbpeer.Peer {
+func (a MockIntegratedValidator) GetInvalidPeers(_ context.Context, accountID string, extraSettings *types.ExtraSettings) (map[string]string, error) {
+	return make(map[string]string), nil
+}
+
+func (MockIntegratedValidator) PreparePeer(_ context.Context, accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *types.ExtraSettings, temporary bool) *nbpeer.Peer {
 	return peer
 }

--- a/management/server/integrations/integrated_validator/interface.go
+++ b/management/server/integrations/integrated_validator/interface.go
@@ -3,18 +3,19 @@ package integrated_validator
 import (
 	"context"

-	"github.com/netbirdio/netbird/shared/management/proto"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/proto"
 )

 // IntegratedValidator interface exists to avoid the circle dependencies
 type IntegratedValidator interface {
 	ValidateExtraSettings(ctx context.Context, newExtraSettings *types.ExtraSettings, oldExtraSettings *types.ExtraSettings, peers map[string]*nbpeer.Peer, userID string, accountID string) error
 	ValidatePeer(ctx context.Context, update *nbpeer.Peer, peer *nbpeer.Peer, userID string, accountID string, dnsDomain string, peersGroup []string, extraSettings *types.ExtraSettings) (*nbpeer.Peer, bool, error)
-	PreparePeer(ctx context.Context, accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *types.ExtraSettings) *nbpeer.Peer
+	PreparePeer(ctx context.Context, accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *types.ExtraSettings, temporary bool) *nbpeer.Peer
 	IsNotValidPeer(ctx context.Context, accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *types.ExtraSettings) (bool, bool, error)
 	GetValidatedPeers(ctx context.Context, accountID string, groups []*types.Group, peers []*nbpeer.Peer, extraSettings *types.ExtraSettings) (map[string]struct{}, error)
+	GetInvalidPeers(ctx context.Context, accountID string, extraSettings *types.ExtraSettings) (map[string]string, error)
 	PeerDeleted(ctx context.Context, accountID, peerID string, extraSettings *types.ExtraSettings) error
 	SetPeerInvalidationListener(fn func(accountID string, peerIDs []string))
 	Stop(ctx context.Context)
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -189,17 +189,17 @@ func (am *MockAccountManager) OnPeerDisconnected(_ context.Context, accountID st
 	panic("implement me")
 }

-func (am *MockAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, error) {
+func (am *MockAccountManager) GetValidatedPeers(ctx context.Context, accountID string) (map[string]struct{}, map[string]string, error) {
 	account, err := am.GetAccountFunc(ctx, accountID)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	approvedPeers := make(map[string]struct{})
 	for id := range account.Peers {
 		approvedPeers[id] = struct{}{}
 	}
-	return approvedPeers, nil
+	return approvedPeers, nil, nil
 }

 // GetGroup mock implementation of GetGroup from server.AccountManager interface
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -350,7 +350,6 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 	}

 	var peer *nbpeer.Peer
-	var updateAccountPeers bool
 	var eventsToStore []func()

 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
@@ -363,11 +362,6 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 			return err
 		}

-		updateAccountPeers, err = isPeerInActiveGroup(ctx, transaction, accountID, peerID)
-		if err != nil {
-			return err
-		}
-
 		eventsToStore, err = deletePeers(ctx, am, transaction, accountID, userID, []*nbpeer.Peer{peer})
 		if err != nil {
 			return fmt.Errorf("failed to delete peer: %w", err)
@@ -387,7 +381,7 @@ func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peer
 		storeEvent()
 	}

-	if updateAccountPeers && userID != activity.SystemInitiator {
+	if userID != activity.SystemInitiator {
 		am.BufferUpdateAccountPeers(ctx, accountID)
 	}

@@ -584,7 +578,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		}
 	}

-	newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, groupsToAdd, settings.Extra)
+	newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, groupsToAdd, settings.Extra, temporary)

 	network, err := am.Store.GetAccountNetwork(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
@@ -684,11 +678,6 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		return nil, nil, nil, fmt.Errorf("failed to add peer to database after %d attempts: %w", maxAttempts, err)
 	}

-	updateAccountPeers, err := isPeerInActiveGroup(ctx, am.Store, accountID, newPeer.ID)
-	if err != nil {
-		updateAccountPeers = true
-	}
-
 	if newPeer == nil {
 		return nil, nil, nil, fmt.Errorf("new peer is nil")
 	}
@@ -701,9 +690,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe

 	am.StoreEvent(ctx, opEvent.InitiatorID, opEvent.TargetID, opEvent.AccountID, opEvent.Activity, opEvent.Meta)

-	if updateAccountPeers {
-		am.BufferUpdateAccountPeers(ctx, accountID)
-	}
+	am.BufferUpdateAccountPeers(ctx, accountID)

 	return am.getValidatedPeerWithMap(ctx, false, accountID, newPeer)
 }
@@ -1527,16 +1514,6 @@ func getPeerGroupIDs(ctx context.Context, transaction store.Store, accountID str
 	return transaction.GetPeerGroupIDs(ctx, store.LockingStrengthNone, accountID, peerID)
 }

-// IsPeerInActiveGroup checks if the given peer is part of a group that is used
-// in an active DNS, route, or ACL configuration.
-func isPeerInActiveGroup(ctx context.Context, transaction store.Store, accountID, peerID string) (bool, error) {
-	peerGroupIDs, err := getPeerGroupIDs(ctx, transaction, accountID, peerID)
-	if err != nil {
-		return false, err
-	}
-	return areGroupChangesAffectPeers(ctx, transaction, accountID, peerGroupIDs) // TODO: use transaction
-}
-
 // deletePeers deletes all specified peers and sends updates to the remote peers.
 // Returns a slice of functions to save events after successful peer deletion.
 func deletePeers(ctx context.Context, am *DefaultAccountManager, transaction store.Store, accountID, userID string, peers []*nbpeer.Peer) ([]func(), error) {
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -1790,7 +1790,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("adding peer to unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg) //
+			peerShouldReceiveUpdate(t, updMsg) //
 			close(done)
 		}()

@@ -1815,7 +1815,7 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
 	t.Run("deleting peer with unlinked group", func(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
-			peerShouldNotReceiveUpdate(t, updMsg)
+			peerShouldReceiveUpdate(t, updMsg)
 			close(done)
 		}()