bump reva v2.39.3

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/beevik/etree v1.6.0
 	github.com/blevesearch/bleve/v2 v2.5.5
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/coreos/go-oidc/v3 v3.16.0
+	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/cs3org/go-cs3apis v0.0.0-20250908152307-4ca807afe54e
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
@@ -64,7 +64,7 @@ require (
 	github.com/open-policy-agent/opa v1.10.1
 	github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89
 	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
-	github.com/opencloud-eu/reva/v2 v2.39.3-0.20251121093521-c51ed14c8397
+	github.com/opencloud-eu/reva/v2 v2.39.3
 	github.com/opensearch-project/opensearch-go/v4 v4.5.0
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/pkg/errors v0.9.1

go.sum

@@ -243,8 +243,8 @@ github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsW
 github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc/v3 v3.16.0 h1:qRQUCFstKpXwmEjDQTIbyY/5jF00+asXzSkmkoa/mow=
-github.com/coreos/go-oidc/v3 v3.16.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
@@ -961,8 +961,8 @@ github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9 h1:dIft
 github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9/go.mod h1:JWyDC6H+5oZRdUJUgKuaye+8Ph5hEs6HVzVoPKzWSGI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76 h1:vD/EdfDUrv4omSFjrinT8Mvf+8D7f9g4vgQ2oiDrVUI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
-github.com/opencloud-eu/reva/v2 v2.39.3-0.20251121093521-c51ed14c8397 h1:69kNapq4vaOfe6+KNF7Q7BibUjluCnK8VuS2UXigkjU=
-github.com/opencloud-eu/reva/v2 v2.39.3-0.20251121093521-c51ed14c8397/go.mod h1:iB6Z8rgsbVMYMvicUm00ZwkwJHQow38K/GUSJgAPgEo=
+github.com/opencloud-eu/reva/v2 v2.39.3 h1:/9NW08Bpy1GaNAPo8HrlyT21Flj8uNnOUyWLud1ehGc=
+github.com/opencloud-eu/reva/v2 v2.39.3/go.mod h1:kkGiMeEVR59VjDsmWIczWqRcwK8cy9ogTd/u802U3NI=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=

vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go

@@ -162,7 +162,7 @@ var supportedAlgorithms = map[string]bool{
 // parsing.
 //
 //	// Directly fetch the metadata document.
-// 	resp, err := http.Get("https://login.example.com/custom-metadata-path")
+//	resp, err := http.Get("https://login.example.com/custom-metadata-path")
 //	if err != nil {
 //		// ...
 //	}
@@ -267,7 +267,7 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
 		issuerURL = issuer
 	}
 	if p.Issuer != issuerURL && !skipIssuerValidation {
-		return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer)
+		return nil, fmt.Errorf("oidc: issuer URL provided to client (%q) did not match the issuer URL returned by provider (%q)", issuer, p.Issuer)
 	}
 	var algs []string
 	for _, a := range p.Algorithms {

vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/blobstore/blobstore.go

@@ -25,11 +25,13 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/pkg/errors"
 	"github.com/pkg/xattr"
 
+	"github.com/opencloud-eu/reva/v2/pkg/storage/pkg/decomposedfs/metadata/prefixes"
 	"github.com/opencloud-eu/reva/v2/pkg/storage/pkg/decomposedfs/node"
 )
 
@@ -91,11 +93,15 @@ func (bs *Blobstore) Upload(n *node.Node, source, copyTarget string) error {
 
 	var mtime *time.Time
 	for k, v := range nodeAttributes {
+		if !strings.HasPrefix(k, prefixes.OcPrefix) {
+			continue
+		}
+
 		if err := xattr.Set(tempName, k, v); err != nil {
 			return fmt.Errorf("failed to set xattr '%s' on temp file '%s' - %v", k, tempName, err)
 		}
 
-		if k == "user.oc.mtime" {
+		if k == prefixes.MTimeAttr {
 			tv, err := time.Parse(time.RFC3339Nano, string(v))
 			if err == nil {
 				mtime = &tv

vendor/github.com/opencloud-eu/reva/v2/pkg/utils/ldap/identity.go

@@ -541,24 +541,47 @@ func (i *Identity) GetLDAPGroupMembers(ctx context.Context, lc ldap.Client, grou
 	return memberEntries, nil
 }
 
-func filterEscapeBinaryUUID(value uuid.UUID) string {
-	filtered := ""
-	for _, b := range value {
-		filtered = fmt.Sprintf("%s\\%02x", filtered, b)
+func filterEscapeAttribute(attribute string, binary bool, id string) (string, error) {
+	var escaped string
+	if binary {
+		pid, err := uuid.Parse(id)
+		if err != nil {
+			err := fmt.Errorf("error parsing id '%s' as UUID: %w", id, err)
+			return "", err
+		}
+		escaped = filterEscapeBinaryUUID(attribute, pid)
+	} else {
+		escaped = ldap.EscapeFilter(id)
 	}
-	return filtered
+	return escaped, nil
+}
+
+func filterEscapeBinaryUUID(attribute string, value uuid.UUID) string {
+	bytes := value[:]
+
+	// AD stores objectGUID with mixed endianness 🤪 - swap first 3 components
+	if strings.EqualFold(attribute, "objectguid") {
+		bytes = []byte{
+			value[3], value[2], value[1], value[0], // First component (4 bytes) - reverse
+			value[5], value[4], // Second component (2 bytes) - reverse
+			value[7], value[6], // Third component (2 bytes) - reverse
+			value[8], value[9], value[10], value[11], value[12], value[13], value[14], value[15], // Last 8 bytes - keep as-is
+		}
+	}
+
+	var filtered strings.Builder
+	filtered.Grow(len(bytes) * 3) // Pre-allocate: each byte becomes "\xx"
+	for _, b := range bytes {
+		fmt.Fprintf(&filtered, "\\%02x", b)
+	}
+	return filtered.String()
 }
 
 func (i *Identity) getUserFilter(uid *identityUser.UserId) (string, error) {
 	var escapedUUID string
-	if i.User.Schema.IDIsOctetString {
-		id, err := uuid.Parse(uid.GetOpaqueId())
-		if err != nil {
-			return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", uid, err)
-		}
-		escapedUUID = filterEscapeBinaryUUID(id)
-	} else {
-		escapedUUID = ldap.EscapeFilter(uid.GetOpaqueId())
+	escapedUUID, err := filterEscapeAttribute(i.User.Schema.ID, i.User.Schema.IDIsOctetString, uid.GetOpaqueId())
+	if err != nil {
+		return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", uid, err)
 	}
 	return fmt.Sprintf("(&%s(objectclass=%s)%s(%s=%s))",
 		i.User.Filter,
@@ -586,14 +609,9 @@ func (i *Identity) getUserAttributeFilter(attribute, value, tenantID string) (st
 	default:
 		return "", errors.New("ldap: invalid field " + attribute)
 	}
-	if attribute == i.User.Schema.ID && i.User.Schema.IDIsOctetString {
-		id, err := uuid.Parse(value)
-		if err != nil {
-			return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", value, err)
-		}
-		value = filterEscapeBinaryUUID(id)
-	} else {
-		value = ldap.EscapeFilter(value)
+	value, err := filterEscapeAttribute(i.User.Schema.ID, i.User.Schema.IDIsOctetString, value)
+	if err != nil {
+		return "", fmt.Errorf("error parsing attribute '%s' value '%s' as UUID: %w", attribute, value, err)
 	}
 	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s)%s%s)",
 		i.User.Filter,
@@ -719,15 +737,9 @@ func (i *Identity) getGroupMemberFilter(memberName string) string {
 }
 
 func (i *Identity) getGroupFilter(id string) (string, error) {
-	var escapedUUID string
-	if i.Group.Schema.IDIsOctetString {
-		id, err := uuid.Parse(id)
-		if err != nil {
-			return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", id, err)
-		}
-		escapedUUID = filterEscapeBinaryUUID(id)
-	} else {
-		escapedUUID = ldap.EscapeFilter(id)
+	escapedUUID, err := filterEscapeAttribute(i.Group.Schema.ID, i.Group.Schema.IDIsOctetString, id)
+	if err != nil {
+		return "", fmt.Errorf("error parsing attribute '%s' value '%s' as UUID: %w", i.Group.Schema.ID, id, err)
 	}
 
 	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
@@ -753,14 +765,9 @@ func (i *Identity) getGroupAttributeFilter(attribute, value string) (string, err
 	default:
 		return "", errors.New("ldap: invalid field " + attribute)
 	}
-	if attribute == i.Group.Schema.ID && i.Group.Schema.IDIsOctetString {
-		id, err := uuid.Parse(value)
-		if err != nil {
-			return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", value, err)
-		}
-		value = filterEscapeBinaryUUID(id)
-	} else {
-		value = ldap.EscapeFilter(value)
+	value, err := filterEscapeAttribute(i.Group.Schema.ID, i.Group.Schema.IDIsOctetString, value)
+	if err != nil {
+		return "", fmt.Errorf("error parsing attribute '%s' value '%s' as UUID: %w", attribute, value, err)
 	}
 	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
 		i.Group.Filter,

vendor/modules.txt

@@ -291,7 +291,7 @@ github.com/containerd/log
 # github.com/containerd/platforms v1.0.0-rc.1
 ## explicit; go 1.20
 github.com/containerd/platforms
-# github.com/coreos/go-oidc/v3 v3.16.0
+# github.com/coreos/go-oidc/v3 v3.17.0
 ## explicit; go 1.24.0
 github.com/coreos/go-oidc/v3/oidc
 # github.com/coreos/go-semver v0.3.1
@@ -1355,7 +1355,7 @@ github.com/opencloud-eu/icap-client
 # github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
 ## explicit; go 1.18
 github.com/opencloud-eu/libre-graph-api-go
-# github.com/opencloud-eu/reva/v2 v2.39.3-0.20251121093521-c51ed14c8397
+# github.com/opencloud-eu/reva/v2 v2.39.3
 ## explicit; go 1.24.1
 github.com/opencloud-eu/reva/v2/cmd/revad/internal/grace
 github.com/opencloud-eu/reva/v2/cmd/revad/runtime