update opencloud 4.0.0-rc.2 (#1917)

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

.woodpecker.env

@@ -1,4 +1,4 @@
 # The test runner source for UI tests
-WEB_COMMITID=6abffcc9cff31c46a341105eb6030fec56338126
-WEB_BRANCH=main
+WEB_COMMITID=3d7367cfb1abe288d0fc0b0b1cc494a7747bcaf6
+WEB_BRANCH=stable-4.2
 

.woodpecker.star

@@ -608,7 +608,7 @@ def testPipelines(ctx):
         pipelines += apiTests(ctx)
 
     enable_watch_fs = [False]
-    if ctx.build.event == "cron" or "full-ci" in ctx.build.title.lower():
+    if ctx.build.event == "cron":
         enable_watch_fs.append(True)
 
     for run_with_watch_fs_enabled in enable_watch_fs:
@@ -994,7 +994,7 @@ def localApiTestPipeline(ctx):
 
     with_remote_php = [True]
     enable_watch_fs = [False]
-    if ctx.build.event == "cron" or "full-ci" in ctx.build.title.lower():
+    if ctx.build.event == "cron":
         with_remote_php.append(False)
         enable_watch_fs.append(True)
 
@@ -1310,7 +1310,7 @@ def apiTests(ctx):
 
     with_remote_php = [True]
     enable_watch_fs = [False]
-    if ctx.build.event == "cron" or "full-ci" in ctx.build.title.lower():
+    if ctx.build.event == "cron":
         with_remote_php.append(False)
         enable_watch_fs.append(True)
 

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/beevik/etree v1.6.0
 	github.com/blevesearch/bleve/v2 v2.5.5
 	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/coreos/go-oidc/v3 v3.16.0
+	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/cs3org/go-cs3apis v0.0.0-20250908152307-4ca807afe54e
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
@@ -64,7 +64,7 @@ require (
 	github.com/open-policy-agent/opa v1.10.1
 	github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89
 	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
-	github.com/opencloud-eu/reva/v2 v2.39.3-0.20251121093521-c51ed14c8397
+	github.com/opencloud-eu/reva/v2 v2.39.3
 	github.com/opensearch-project/opensearch-go/v4 v4.5.0
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/pkg/errors v0.9.1

go.sum

@@ -243,8 +243,8 @@ github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsW
 github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc/v3 v3.16.0 h1:qRQUCFstKpXwmEjDQTIbyY/5jF00+asXzSkmkoa/mow=
-github.com/coreos/go-oidc/v3 v3.16.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
@@ -961,8 +961,8 @@ github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9 h1:dIft
 github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9/go.mod h1:JWyDC6H+5oZRdUJUgKuaye+8Ph5hEs6HVzVoPKzWSGI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76 h1:vD/EdfDUrv4omSFjrinT8Mvf+8D7f9g4vgQ2oiDrVUI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
-github.com/opencloud-eu/reva/v2 v2.39.3-0.20251121093521-c51ed14c8397 h1:69kNapq4vaOfe6+KNF7Q7BibUjluCnK8VuS2UXigkjU=
-github.com/opencloud-eu/reva/v2 v2.39.3-0.20251121093521-c51ed14c8397/go.mod h1:iB6Z8rgsbVMYMvicUm00ZwkwJHQow38K/GUSJgAPgEo=
+github.com/opencloud-eu/reva/v2 v2.39.3 h1:/9NW08Bpy1GaNAPo8HrlyT21Flj8uNnOUyWLud1ehGc=
+github.com/opencloud-eu/reva/v2 v2.39.3/go.mod h1:kkGiMeEVR59VjDsmWIczWqRcwK8cy9ogTd/u802U3NI=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=

opencloud/docker/Dockerfile.multiarch

@@ -1,4 +1,4 @@
-FROM golang:alpine3.21 AS build
+FROM golang:alpine3.22 AS build
 ARG TARGETOS
 ARG TARGETARCH
 ARG VERSION
@@ -13,7 +13,7 @@ RUN --mount=type=bind,target=/build,rw \
     GOOS="${TARGETOS:-linux}" GOARCH="${TARGETARCH:-amd64}" ; \
     make -C opencloud/opencloud release-linux-docker-${TARGETARCH} ENABLE_VIPS=true DIST=/dist
 
-FROM alpine:3.21
+FROM alpine:3.22
 ARG VERSION
 ARG REVISION
 ARG TARGETOS

pkg/version/version.go

@@ -16,7 +16,7 @@ var (
 	// LatestTag is the latest released version plus the dev meta version.
 	// Will be overwritten by the release pipeline
 	// Needs a manual change for every tagged release
-	LatestTag = "4.0.0-rc.1+dev"
+	LatestTag = "4.0.0-rc.2+dev"
 
 	// Date indicates the build date.
 	// This has been removed, it looks like you can only replace static strings with recent go versions

services/activitylog/pkg/service/l10n/locale/fi/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-11-06 00:02+0000\n"
+"POT-Creation-Date: 2025-11-26 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/opencloud-eu/teams/204053/fi/)\n"

services/graph/pkg/identity/ldap.go

@@ -497,7 +497,7 @@ func (i *LDAP) searchLDAPEntryByFilter(basedn string, attrs []string, filter str
 	return res.Entries[0], nil
 }
 
-func filterEscapeUUID(binary bool, id string) (string, error) {
+func filterEscapeAttribute(attribute string, binary bool, id string) (string, error) {
 	var escaped string
 	if binary {
 		pid, err := uuid.Parse(id)
@@ -505,17 +505,44 @@ func filterEscapeUUID(binary bool, id string) (string, error) {
 			err := fmt.Errorf("error parsing id '%s' as UUID: %w", id, err)
 			return "", err
 		}
-		for _, b := range pid {
-			escaped = fmt.Sprintf("%s\\%02x", escaped, b)
-		}
+		escaped = filterEscapeBinaryUUID(attribute, pid)
 	} else {
 		escaped = ldap.EscapeFilter(id)
 	}
 	return escaped, nil
 }
 
+// swapObjectGUIDBytes converts between AD's mixed-endian objectGUID format and standard UUID byte order
+func swapObjectGUIDBytes(value []byte) []byte {
+	if len(value) != 16 {
+		return value
+	}
+	return []byte{
+		value[3], value[2], value[1], value[0], // First component (4 bytes) - reverse
+		value[5], value[4], // Second component (2 bytes) - reverse
+		value[7], value[6], // Third component (2 bytes) - reverse
+		value[8], value[9], value[10], value[11], value[12], value[13], value[14], value[15], // Last 8 bytes - keep as-is
+	}
+}
+
+func filterEscapeBinaryUUID(attribute string, value uuid.UUID) string {
+	bytes := value[:]
+
+	// AD stores objectGUID with mixed endianness 🤪 - swap first 3 components
+	if strings.EqualFold(attribute, "objectguid") {
+		bytes = swapObjectGUIDBytes(bytes)
+	}
+
+	var filtered strings.Builder
+	filtered.Grow(len(bytes) * 3) // Pre-allocate: each byte becomes "\xx"
+	for _, b := range bytes {
+		fmt.Fprintf(&filtered, "\\%02x", b)
+	}
+	return filtered.String()
+}
+
 func (i *LDAP) getLDAPUserByID(id string) (*ldap.Entry, error) {
-	idString, err := filterEscapeUUID(i.userIDisOctetString, id)
+	idString, err := filterEscapeAttribute(i.userAttributeMap.id, i.userIDisOctetString, id)
 	if err != nil {
 		return nil, fmt.Errorf("invalid User id: %w", err)
 	}
@@ -524,7 +551,7 @@ func (i *LDAP) getLDAPUserByID(id string) (*ldap.Entry, error) {
 }
 
 func (i *LDAP) getLDAPUserByNameOrID(nameOrID string) (*ldap.Entry, error) {
-	idString, err := filterEscapeUUID(i.userIDisOctetString, nameOrID)
+	idString, err := filterEscapeAttribute(i.userAttributeMap.id, i.userIDisOctetString, nameOrID)
 	// err != nil just means that this is not an uuid, so we can skip the uuid filter part
 	// and just filter by name
 	var filter string
@@ -812,16 +839,25 @@ func (i *LDAP) updateUserPassword(ctx context.Context, dn, password string) erro
 	return err
 }
 
-func (i *LDAP) ldapUUIDtoString(e *ldap.Entry, attrType string, binary bool) (string, error) {
+func (i *LDAP) ldapUUIDtoString(e *ldap.Entry, attribute string, binary bool) (string, error) {
 	if binary {
-		rawValue := e.GetEqualFoldRawAttributeValue(attrType)
-		value, err := uuid.FromBytes(rawValue)
-		if err == nil {
-			return value.String(), nil
+		value := e.GetEqualFoldRawAttributeValue(attribute)
+
+		if len(value) != 16 {
+			return "", fmt.Errorf("invalid UUID in '%s' attribute (got %d bytes)", attribute, len(value))
 		}
-		return "", err
+
+		// AD stores objectGUID with mixed endianness 🤪 - swap first 3 components
+		if strings.EqualFold(attribute, "objectguid") {
+			value = swapObjectGUIDBytes(value)
+		}
+		id, err := uuid.FromBytes(value)
+		if err != nil {
+			return "", fmt.Errorf("error parsing UUID from '%s' attribute bytes: %w", attribute, err)
+		}
+		return id.String(), nil
 	}
-	return e.GetEqualFoldAttributeValue(attrType), nil
+	return e.GetEqualFoldAttributeValue(attribute), nil
 }
 
 func (i *LDAP) createUserModelFromLDAP(e *ldap.Entry) *libregraph.User {
@@ -876,7 +912,7 @@ func (i *LDAP) createUserModelFromLDAP(e *ldap.Entry) *libregraph.User {
 		}
 		return user
 	}
-	i.logger.Warn().Str("dn", e.DN).Msg("Invalid User. Missing username or id attribute")
+	i.logger.Warn().Str("dn", e.DN).Str("id", id).Str("username", opsan).Msg("Invalid User. Missing username or id attribute")
 	return nil
 }
 

services/graph/pkg/identity/ldap_group.go

@@ -455,7 +455,7 @@ func (i *LDAP) groupToLDAPAttrValues(group libregraph.Group) (map[string][]strin
 }
 
 func (i *LDAP) getLDAPGroupByID(id string, requestMembers bool) (*ldap.Entry, error) {
-	idString, err := filterEscapeUUID(i.groupIDisOctetString, id)
+	idString, err := filterEscapeAttribute(i.groupAttributeMap.id, i.groupIDisOctetString, id)
 	if err != nil {
 		return nil, fmt.Errorf("invalid group id: %w", err)
 	}
@@ -464,7 +464,7 @@ func (i *LDAP) getLDAPGroupByID(id string, requestMembers bool) (*ldap.Entry, er
 }
 
 func (i *LDAP) getLDAPGroupByNameOrID(nameOrID string, requestMembers bool) (*ldap.Entry, error) {
-	idString, err := filterEscapeUUID(i.groupIDisOctetString, nameOrID)
+	idString, err := filterEscapeAttribute(i.groupAttributeMap.id, i.groupIDisOctetString, nameOrID)
 	// err != nil just means that this is not an uuid, so we can skip the uuid filter part
 	// and just filter by name
 	filter := ""

services/graph/pkg/identity/ldap_test.go

@@ -2,6 +2,7 @@ package identity
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/url"
@@ -9,10 +10,10 @@ import (
 
 	"github.com/CiscoM31/godata"
 	"github.com/go-ldap/ldap/v3"
+	libregraph "github.com/opencloud-eu/libre-graph-api-go"
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/config"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/identity/mocks"
-	libregraph "github.com/opencloud-eu/libre-graph-api-go"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )
@@ -63,6 +64,33 @@ var userEntry = ldap.NewEntry("uid=user",
 		"usertypeattribute":    {"Member"},
 	})
 
+var lconfigAD = config.LDAP{
+	UserBaseDN:               "ou=users,dc=test",
+	UserObjectClass:          "user",
+	UserSearchScope:          "sub",
+	UserFilter:               "",
+	UserDisplayNameAttribute: "displayname",
+	UserIDAttribute:          "objectGUID",
+	UserIDIsOctetString:      true,
+	UserEmailAttribute:       "mail",
+	UserNameAttribute:        "uid",
+	UserEnabledAttribute:     "userEnabledAttribute",
+	UserTypeAttribute:        "userTypeAttribute",
+	LdapDisabledUsersGroupDN: disableUsersGroup,
+	DisableUserMechanism:     "attribute",
+
+	GroupBaseDN:          "ou=groups,dc=test",
+	GroupObjectClass:     "group",
+	GroupSearchScope:     "sub",
+	GroupFilter:          "",
+	GroupNameAttribute:   "cn",
+	GroupMemberAttribute: "member",
+	GroupIDAttribute:     "objectGUID",
+	GroupIDIsOctetString: true,
+
+	WriteEnabled: true,
+}
+
 var invalidUserEntry = ldap.NewEntry("uid=user",
 	map[string][]string{
 		"uid":         {"invalid"},
@@ -260,6 +288,50 @@ func TestGetUser(t *testing.T) {
 	assert.ErrorContains(t, err, "itemNotFound:")
 }
 
+func TestGetUserAD(t *testing.T) {
+
+	// we have to simulate ldap / AD returning a binary encoded objectguid
+	byteID, err := base64.StdEncoding.DecodeString("js8n0m6YBUqIYK8ZMFYnig==")
+	if err != nil {
+		t.Error(err)
+	}
+	userEntryAD := ldap.NewEntry("uid=user",
+		map[string][]string{
+			"uid":                  {"user"},
+			"displayname":          {"DisplayName"},
+			"mail":                 {"user@example"},
+			"objectguid":           {string(byteID)}, // ugly but works
+			"sn":                   {"surname"},
+			"givenname":            {"givenName"},
+			"userenabledattribute": {"TRUE"},
+			"usertypeattribute":    {"Member"},
+		})
+
+	// Mock a valid Search Result
+	lm := &mocks.Client{}
+	lm.On("Search", mock.Anything).
+		Return(
+			&ldap.SearchResult{
+				Entries: []*ldap.Entry{userEntryAD},
+			},
+			nil)
+
+	odataReqDefault, err := godata.ParseRequest(context.Background(), "",
+		url.Values{})
+	if err != nil {
+		t.Errorf("Expected success got '%s'", err.Error())
+	}
+
+	b, _ := getMockedBackend(lm, lconfigAD, &logger)
+	u, err := b.GetUser(context.Background(), "user", odataReqDefault)
+	if err != nil {
+		t.Errorf("Expected GetUser to succeed. Got %s", err.Error())
+	} else if *u.Id != "d227cf8e-986e-4a05-8860-af193056278a" { // this checks if we decoded the objectguid correctly
+		t.Errorf("Expected GetUser to return a valid user")
+	}
+
+}
+
 func TestGetUsers(t *testing.T) {
 	// Mock a Sizelimit Error
 	lm := &mocks.Client{}

services/graph/pkg/l10n/locale/fi/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-11-06 00:02+0000\n"
+"POT-Creation-Date: 2025-11-26 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/opencloud-eu/teams/204053/fi/)\n"

services/graph/pkg/l10n/locale/uk/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-11-06 00:02+0000\n"
+"POT-Creation-Date: 2025-11-26 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: LinkinWires <darkinsonic13@gmail.com>, 2025\n"
 "Language-Team: Ukrainian (https://app.transifex.com/opencloud-eu/teams/204053/uk/)\n"

services/settings/pkg/service/v0/l10n/locale/uk/LC_MESSAGES/settings.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-11-06 00:02+0000\n"
+"POT-Creation-Date: 2025-11-26 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: LinkinWires <darkinsonic13@gmail.com>, 2025\n"
 "Language-Team: Ukrainian (https://app.transifex.com/opencloud-eu/teams/204053/uk/)\n"

services/userlog/pkg/service/l10n/locale/fi/LC_MESSAGES/userlog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-11-06 00:02+0000\n"
+"POT-Creation-Date: 2025-11-26 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/opencloud-eu/teams/204053/fi/)\n"

services/web/Makefile

@@ -1,6 +1,6 @@
 SHELL := bash
 NAME := web
-WEB_ASSETS_VERSION = v4.2.1-alpha.1
+WEB_ASSETS_VERSION = v4.2.1-rc.1
 WEB_ASSETS_BRANCH = main
 
 ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warnings` for non go targets in CI

vendor/github.com/coreos/go-oidc/v3/oidc/oidc.go

@@ -162,7 +162,7 @@ var supportedAlgorithms = map[string]bool{
 // parsing.
 //
 //	// Directly fetch the metadata document.
-// 	resp, err := http.Get("https://login.example.com/custom-metadata-path")
+//	resp, err := http.Get("https://login.example.com/custom-metadata-path")
 //	if err != nil {
 //		// ...
 //	}
@@ -267,7 +267,7 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
 		issuerURL = issuer
 	}
 	if p.Issuer != issuerURL && !skipIssuerValidation {
-		return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer)
+		return nil, fmt.Errorf("oidc: issuer URL provided to client (%q) did not match the issuer URL returned by provider (%q)", issuer, p.Issuer)
 	}
 	var algs []string
 	for _, a := range p.Algorithms {

vendor/github.com/opencloud-eu/reva/v2/pkg/storage/fs/posix/blobstore/blobstore.go

@@ -25,11 +25,13 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/pkg/errors"
 	"github.com/pkg/xattr"
 
+	"github.com/opencloud-eu/reva/v2/pkg/storage/pkg/decomposedfs/metadata/prefixes"
 	"github.com/opencloud-eu/reva/v2/pkg/storage/pkg/decomposedfs/node"
 )
 
@@ -91,11 +93,15 @@ func (bs *Blobstore) Upload(n *node.Node, source, copyTarget string) error {
 
 	var mtime *time.Time
 	for k, v := range nodeAttributes {
+		if !strings.HasPrefix(k, prefixes.OcPrefix) {
+			continue
+		}
+
 		if err := xattr.Set(tempName, k, v); err != nil {
 			return fmt.Errorf("failed to set xattr '%s' on temp file '%s' - %v", k, tempName, err)
 		}
 
-		if k == "user.oc.mtime" {
+		if k == prefixes.MTimeAttr {
 			tv, err := time.Parse(time.RFC3339Nano, string(v))
 			if err == nil {
 				mtime = &tv

vendor/github.com/opencloud-eu/reva/v2/pkg/utils/ldap/identity.go

@@ -541,24 +541,47 @@ func (i *Identity) GetLDAPGroupMembers(ctx context.Context, lc ldap.Client, grou
 	return memberEntries, nil
 }
 
-func filterEscapeBinaryUUID(value uuid.UUID) string {
-	filtered := ""
-	for _, b := range value {
-		filtered = fmt.Sprintf("%s\\%02x", filtered, b)
+func filterEscapeAttribute(attribute string, binary bool, id string) (string, error) {
+	var escaped string
+	if binary {
+		pid, err := uuid.Parse(id)
+		if err != nil {
+			err := fmt.Errorf("error parsing id '%s' as UUID: %w", id, err)
+			return "", err
+		}
+		escaped = filterEscapeBinaryUUID(attribute, pid)
+	} else {
+		escaped = ldap.EscapeFilter(id)
 	}
-	return filtered
+	return escaped, nil
+}
+
+func filterEscapeBinaryUUID(attribute string, value uuid.UUID) string {
+	bytes := value[:]
+
+	// AD stores objectGUID with mixed endianness 🤪 - swap first 3 components
+	if strings.EqualFold(attribute, "objectguid") {
+		bytes = []byte{
+			value[3], value[2], value[1], value[0], // First component (4 bytes) - reverse
+			value[5], value[4], // Second component (2 bytes) - reverse
+			value[7], value[6], // Third component (2 bytes) - reverse
+			value[8], value[9], value[10], value[11], value[12], value[13], value[14], value[15], // Last 8 bytes - keep as-is
+		}
+	}
+
+	var filtered strings.Builder
+	filtered.Grow(len(bytes) * 3) // Pre-allocate: each byte becomes "\xx"
+	for _, b := range bytes {
+		fmt.Fprintf(&filtered, "\\%02x", b)
+	}
+	return filtered.String()
 }
 
 func (i *Identity) getUserFilter(uid *identityUser.UserId) (string, error) {
 	var escapedUUID string
-	if i.User.Schema.IDIsOctetString {
-		id, err := uuid.Parse(uid.GetOpaqueId())
-		if err != nil {
-			return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", uid, err)
-		}
-		escapedUUID = filterEscapeBinaryUUID(id)
-	} else {
-		escapedUUID = ldap.EscapeFilter(uid.GetOpaqueId())
+	escapedUUID, err := filterEscapeAttribute(i.User.Schema.ID, i.User.Schema.IDIsOctetString, uid.GetOpaqueId())
+	if err != nil {
+		return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", uid, err)
 	}
 	return fmt.Sprintf("(&%s(objectclass=%s)%s(%s=%s))",
 		i.User.Filter,
@@ -586,14 +609,9 @@ func (i *Identity) getUserAttributeFilter(attribute, value, tenantID string) (st
 	default:
 		return "", errors.New("ldap: invalid field " + attribute)
 	}
-	if attribute == i.User.Schema.ID && i.User.Schema.IDIsOctetString {
-		id, err := uuid.Parse(value)
-		if err != nil {
-			return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", value, err)
-		}
-		value = filterEscapeBinaryUUID(id)
-	} else {
-		value = ldap.EscapeFilter(value)
+	value, err := filterEscapeAttribute(i.User.Schema.ID, i.User.Schema.IDIsOctetString, value)
+	if err != nil {
+		return "", fmt.Errorf("error parsing attribute '%s' value '%s' as UUID: %w", attribute, value, err)
 	}
 	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s)%s%s)",
 		i.User.Filter,
@@ -719,15 +737,9 @@ func (i *Identity) getGroupMemberFilter(memberName string) string {
 }
 
 func (i *Identity) getGroupFilter(id string) (string, error) {
-	var escapedUUID string
-	if i.Group.Schema.IDIsOctetString {
-		id, err := uuid.Parse(id)
-		if err != nil {
-			return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", id, err)
-		}
-		escapedUUID = filterEscapeBinaryUUID(id)
-	} else {
-		escapedUUID = ldap.EscapeFilter(id)
+	escapedUUID, err := filterEscapeAttribute(i.Group.Schema.ID, i.Group.Schema.IDIsOctetString, id)
+	if err != nil {
+		return "", fmt.Errorf("error parsing attribute '%s' value '%s' as UUID: %w", i.Group.Schema.ID, id, err)
 	}
 
 	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
@@ -753,14 +765,9 @@ func (i *Identity) getGroupAttributeFilter(attribute, value string) (string, err
 	default:
 		return "", errors.New("ldap: invalid field " + attribute)
 	}
-	if attribute == i.Group.Schema.ID && i.Group.Schema.IDIsOctetString {
-		id, err := uuid.Parse(value)
-		if err != nil {
-			return "", fmt.Errorf("error parsing OpaqueID '%s' as UUID: %w", value, err)
-		}
-		value = filterEscapeBinaryUUID(id)
-	} else {
-		value = ldap.EscapeFilter(value)
+	value, err := filterEscapeAttribute(i.Group.Schema.ID, i.Group.Schema.IDIsOctetString, value)
+	if err != nil {
+		return "", fmt.Errorf("error parsing attribute '%s' value '%s' as UUID: %w", attribute, value, err)
 	}
 	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
 		i.Group.Filter,

vendor/modules.txt

@@ -291,7 +291,7 @@ github.com/containerd/log
 # github.com/containerd/platforms v1.0.0-rc.1
 ## explicit; go 1.20
 github.com/containerd/platforms
-# github.com/coreos/go-oidc/v3 v3.16.0
+# github.com/coreos/go-oidc/v3 v3.17.0
 ## explicit; go 1.24.0
 github.com/coreos/go-oidc/v3/oidc
 # github.com/coreos/go-semver v0.3.1
@@ -1355,7 +1355,7 @@ github.com/opencloud-eu/icap-client
 # github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20250724122329-41ba6b191e76
 ## explicit; go 1.18
 github.com/opencloud-eu/libre-graph-api-go
-# github.com/opencloud-eu/reva/v2 v2.39.3-0.20251121093521-c51ed14c8397
+# github.com/opencloud-eu/reva/v2 v2.39.3
 ## explicit; go 1.24.1
 github.com/opencloud-eu/reva/v2/cmd/revad/internal/grace
 github.com/opencloud-eu/reva/v2/cmd/revad/runtime