add env

.github/workflows/labels.yml

@@ -4,8 +4,6 @@ on:
     types: [opened, labeled, unlabeled, synchronize]
 jobs:
   label:
-    # Only run if PR is not from a fork
-    if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     permissions:
       issues: write

.make/protobuf.mk

@@ -14,12 +14,12 @@ protoc-deps: $(BINGO)
 	@cd ../.. && GOPATH="" GOBIN=".bingo" $(BINGO) get -l github.com/favadi/protoc-go-inject-tag
 
 .PHONY: buf-generate
-buf-generate: $(SHA1_LOCK_FILE)
+buf-generate: $(BUF) protoc-deps $(SHA1_LOCK_FILE)
 	@find $(abspath $(CURDIR)/../../protogen/proto/) -type f -print0 | sort -z | xargs -0 sha1sum > buf.sha1.lock.tmp
 	@cmp $(SHA1_LOCK_FILE) buf.sha1.lock.tmp --quiet || $(MAKE) -B $(SHA1_LOCK_FILE)
 	@rm -f buf.sha1.lock.tmp
 
-$(SHA1_LOCK_FILE): $(BUF) protoc-deps
+$(SHA1_LOCK_FILE):
 	@echo "generating protobuf content"
 	cd ../../protogen/proto && $(BUF) generate
 	find $(abspath $(CURDIR)/../../protogen/proto/) -type f -print0 | sort -z | xargs -0 sha1sum > $(SHA1_LOCK_FILE)

.make/recursion.mk

@@ -0,0 +1,8 @@
+
+ifeq ($(MAKE_DEPTH),)
+MAKE_DEPTH := 0
+else
+$(eval MAKE_DEPTH := $(shell echo "$$(( $(MAKE_DEPTH) + 1 ))" ) )
+endif
+
+export

.woodpecker.env

@@ -1,3 +1,3 @@
 # The test runner source for UI tests
-WEB_COMMITID=81996a0479fa7c1aa7b40d96ba2bea14569d46b6
+WEB_COMMITID=25629bf0d846051ec0ed6f56ddbeb1a4de6f9ba0
 WEB_BRANCH=main

.woodpecker.star

@@ -48,9 +48,7 @@ dirs = {
     "zip": "/woodpecker/src/github.com/opencloud-eu/opencloud/zip",
     "webZip": "/woodpecker/src/github.com/opencloud-eu/opencloud/zip/web.tar.gz",
     "webPnpmZip": "/woodpecker/src/github.com/opencloud-eu/opencloud/zip/web-pnpm.tar.gz",
-    "baseGo": "/go/src/github.com/opencloud-eu/opencloud",
     "gobinTar": "go-bin.tar.gz",
-    "gobinTarPath": "/go/src/github.com/opencloud-eu/opencloud/go-bin.tar.gz",
     "opencloudConfig": "tests/config/woodpecker/opencloud-config.json",
     "opencloudRevaDataRoot": "/woodpecker/src/github.com/opencloud-eu/opencloud/srv/app/tmp/ocis/owncloud/data",
     "multiServiceOcBaseDataPath": "/woodpecker/src/github.com/opencloud-eu/opencloud/multiServiceData",
@@ -350,14 +348,6 @@ config = {
 
 GRAPH_AVAILABLE_ROLES = "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6,63e64e19-8d43-42ec-a738-2b6af2610efa"
 
-# workspace for pipeline to cache Go dependencies between steps of a pipeline
-# to be used in combination with stepVolumeGo
-workspace = \
-    {
-        "base": "/go",
-        "path": "src/github.com/opencloud-eu/opencloud/",
-    }
-
 # minio mc environment variables
 MINIO_MC_ENV = {
     "CACHE_BUCKET": {
@@ -422,7 +412,8 @@ def main(ctx):
     """
 
     build_release_helpers = \
-        readyReleaseGo()
+        readyReleaseGo() + \
+        docs()
 
     build_release_helpers.append(
         pipelineDependsOn(
@@ -559,7 +550,6 @@ def getGoBinForTesting(ctx):
                 },
             },
         ],
-        "workspace": workspace,
     }]
 
 def checkGoBinCache():
@@ -568,7 +558,7 @@ def checkGoBinCache():
         "image": MINIO_MC,
         "environment": MINIO_MC_ENV,
         "commands": [
-            "bash -x %s/tests/config/woodpecker/check_go_bin_cache.sh %s %s" % (dirs["baseGo"], dirs["baseGo"], dirs["gobinTar"]),
+            "bash -x %s/tests/config/woodpecker/check_go_bin_cache.sh %s %s" % (dirs["base"], dirs["base"], dirs["gobinTar"]),
         ],
     }]
 
@@ -586,12 +576,13 @@ def cacheGoBin():
         },
         {
             "name": "archive-go-bin",
-            "image": OC_UBUNTU,
+            "image": OC_CI_GOLANG,
             "commands": [
                 ". ./.env",
                 "if $BIN_CACHE_FOUND; then exit 0; fi",
-                "tar -czvf %s /go/bin" % dirs["gobinTarPath"],
+                "tar -czvf %s/%s /go/bin " % (dirs["base"], dirs["gobinTar"]),
             ],
+            "environment": CI_HTTP_PROXY_ENV,
         },
         {
             "name": "cache-go-bin",
@@ -602,10 +593,10 @@ def cacheGoBin():
                 "if $BIN_CACHE_FOUND; then exit 0; fi",
                 # .bingo folder will change after 'bingo-get'
                 # so get the stored hash of a .bingo folder
-                "BINGO_HASH=$(cat %s/.bingo_hash)" % dirs["baseGo"],
+                "BINGO_HASH=$(cat %s/.bingo_hash)" % dirs["base"],
                 # cache using the minio client to the public bucket (long term bucket)
                 "mc alias set s3 $MC_HOST $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY",
-                "mc cp -r %s s3/$CACHE_BUCKET/opencloud/go-bin/$BINGO_HASH" % (dirs["gobinTarPath"]),
+                "mc cp -r %s/%s s3/$CACHE_BUCKET/opencloud/go-bin/$BINGO_HASH" % (dirs["base"], dirs["gobinTar"]),
             ],
         },
     ]
@@ -617,22 +608,32 @@ def restoreGoBinCache():
             "image": MINIO_MC,
             "environment": MINIO_MC_ENV,
             "commands": [
-                "BINGO_HASH=$(cat %s/.bingo/* | sha256sum | cut -d ' ' -f 1)" % dirs["baseGo"],
+                "BINGO_HASH=$(cat %s/.bingo/* | sha256sum | cut -d ' ' -f 1)" % dirs["base"],
                 "mc alias set s3 $MC_HOST $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY",
-                "mc cp -r -a s3/$CACHE_BUCKET/opencloud/go-bin/$BINGO_HASH/%s %s" % (dirs["gobinTar"], dirs["baseGo"]),
+                "mc cp -r -a s3/$CACHE_BUCKET/opencloud/go-bin/$BINGO_HASH/%s %s" % (dirs["gobinTar"], dirs["base"]),
             ],
         },
         {
             "name": "extract-go-bin-cache",
-            "image": OC_UBUNTU,
+            "image": OC_CI_GOLANG,
             "commands": [
-                "tar -xvmf %s -C /" % dirs["gobinTarPath"],
+                "tar -xvmf %s/%s -C %s" % (dirs["base"], dirs["gobinTar"], dirs["base"]),
             ],
         },
     ]
 
 def testOpencloud(ctx):
-    steps = restoreGoBinCache() + makeGoGenerate("") + [
+    # environment = CI_HTTP_PROXY_ENV
+    # environment["GOBIN"] = "/woodpecker/src/github.com/opencloud-eu/opencloud/go/bin"
+    steps = restoreGoBinCache() + [
+        {
+            "name": "generate-go",
+            "image": OC_CI_GOLANG,
+            "commands": [
+                "for i in $(seq 3); do %s go-generate && break || sleep 1; done" % make,
+            ],
+            "environment": CI_HTTP_PROXY_ENV,
+        },
         {
             "name": "golangci-lint",
             "image": OC_CI_GOLANG,
@@ -687,7 +688,6 @@ def testOpencloud(ctx):
             },
         ],
         "depends_on": getPipelineNames(getGoBinForTesting(ctx)),
-        "workspace": workspace,
     }
 
 def scanOpencloud(ctx):
@@ -714,8 +714,6 @@ def scanOpencloud(ctx):
                 },
             },
         ],
-        "depends_on": getPipelineNames(getGoBinForTesting(ctx)),
-        "workspace": workspace,
     }
 
 def buildOpencloudBinaryForTesting(ctx):
@@ -734,7 +732,6 @@ def buildOpencloudBinaryForTesting(ctx):
                 },
             },
         ],
-        "workspace": workspace,
     }]
 
 def vendorbinCodestyle(phpVersion):
@@ -1618,15 +1615,7 @@ def binaryRelease(ctx, arch, depends_on = []):
             {
                 "name": "build",
                 "image": OC_CI_GOLANG,
-                "environment": {
-                    "VERSION": (ctx.build.ref.replace("refs/tags/", "") if ctx.build.event == "tag" else "daily"),
-                    "HTTP_PROXY": {
-                        "from_secret": "ci_http_proxy",
-                    },
-                    "HTTPS_PROXY": {
-                        "from_secret": "ci_http_proxy",
-                    },
-                },
+                "environment": CI_HTTP_PROXY_ENV,
                 "commands": [
                     "make -C opencloud release-%s" % arch,
                 ],
@@ -1675,6 +1664,8 @@ def binaryRelease(ctx, arch, depends_on = []):
     }
 
 def licenseCheck(ctx):
+    environment = CI_HTTP_PROXY_ENV
+    environment["GOBIN"] = "/woodpecker/src/github.com/opencloud-eu/opencloud/go/bin"
     return {
         "name": "check-licenses",
         "steps": restoreGoBinCache() + [
@@ -1695,7 +1686,7 @@ def licenseCheck(ctx):
             {
                 "name": "go-check-licenses",
                 "image": OC_CI_GOLANG,
-                "environment": CI_HTTP_PROXY_ENV,
+                "environment": environment,
                 "commands": [
                     "make ci-go-check-licenses",
                 ],
@@ -1703,7 +1694,7 @@ def licenseCheck(ctx):
             {
                 "name": "go-save-licenses",
                 "image": OC_CI_GOLANG,
-                "environment": CI_HTTP_PROXY_ENV,
+                "environment": environment,
                 "commands": [
                     "make ci-go-save-licenses",
                 ],
@@ -1738,7 +1729,6 @@ def licenseCheck(ctx):
             event["pull_request"],
             event["tag"],
         ],
-        "workspace": workspace,
     }
 
 def readyReleaseGo():
@@ -1798,6 +1788,34 @@ def releaseDockerReadme(repo, build_type):
         ],
     }
 
+def docs():
+    return [
+        {
+            "name": "dev-docs",
+            "steps": [
+                {
+                    "name": "devdocs",
+                    "image": "codeberg.org/xfix/plugin-codeberg-pages-deploy:1",
+                    "settings": {
+                        "folder": "docs",
+                        "branch": "docs",
+                        "git_config_email": "${CI_COMMIT_AUTHOR_EMAIL}",
+                        "git_config_name": "${CI_COMMIT_AUTHOR}",
+                        "ssh_key": {
+                            "from_secret": "ssh_key",
+                        },
+                    },
+                },
+            ],
+            "when": [
+                {
+                    "event": "push",
+                    "branch": "main",
+                },
+            ],
+        },
+    ]
+
 def makeNodeGenerate(module):
     if module == "":
         make = "make"
@@ -1805,7 +1823,7 @@ def makeNodeGenerate(module):
         make = "make -C %s" % module
     return [
         {
-            "name": "generate nodejs",
+            "name": "generate-nodejs",
             "image": OC_CI_NODEJS % DEFAULT_NODEJS_VERSION,
             "environment": {
                 "CHROMEDRIVER_SKIP_DOWNLOAD": True,  # install fails on arm and chromedriver is a test only dependency
@@ -1824,7 +1842,7 @@ def makeGoGenerate(module):
         make = "make -C %s" % module
     return [
         {
-            "name": "generate go",
+            "name": "generate-go",
             "image": OC_CI_GOLANG,
             "commands": [
                 "for i in $(seq 3); do %s go-generate && break || sleep 1; done" % make,

CHANGELOG.md

@@ -1,63 +1,5 @@
 # Changelog
 
-## [2.2.0](https://github.com/opencloud-eu/opencloud/releases/tag/v2.2.0) - 2025-04-28
-
-### ❤️ Thanks to all contributors! ❤️
-
-@AlexAndBear, @JammingBen, @ScharfViktor, @Svanvith, @TheOneRing, @aduffeck, @amrita-shrestha, @butonic, @dragonchaser, @dragotin, @fschade, @individual-it, @jnweiger, @micbar, @michaelstingl, @rhafer
-
-### ✨ Features
-
-- add new property IdentifierDefaultLogoTargetURI [[#684](https://github.com/opencloud-eu/opencloud/pull/684)]
-- feat: add dev docs for web [[#623](https://github.com/opencloud-eu/opencloud/pull/623)]
-- feat: improve the info about storage path in deployment example [[#617](https://github.com/opencloud-eu/opencloud/pull/617)]
-
-### 📈 Enhancement
-
-- [full-ci] chore(web): bump web to v2.3.0 [[#738](https://github.com/opencloud-eu/opencloud/pull/738)]
-- bare-metal-deploy. getting latest version [[#699](https://github.com/opencloud-eu/opencloud/pull/699)]
-- Automatically find the latest released version of opencloud [[#687](https://github.com/opencloud-eu/opencloud/pull/687)]
-- Expose more config vars for the posix fs watchers [[#669](https://github.com/opencloud-eu/opencloud/pull/669)]
-- Add env var to make the inotify stats frequency configurable [[#552](https://github.com/opencloud-eu/opencloud/pull/552)]
-- feat(web): remove old and unused color tokens [[#665](https://github.com/opencloud-eu/opencloud/pull/665)]
-- Feat: install.sh now honors OC_BASE_DIR and OC_HOST [[#574](https://github.com/opencloud-eu/opencloud/pull/574)]
-- revert: completely remove "edition" from capabilities [[#601](https://github.com/opencloud-eu/opencloud/pull/601)]
-
-### 📚 Documentation
-
-- Update descirption of COLLABORA_SSL_ENABLE [[#724](https://github.com/opencloud-eu/opencloud/pull/724)]
-- Fix broken links in opencloud_full README.md [[#643](https://github.com/opencloud-eu/opencloud/pull/643)]
-- chore: move dev docs to opencloud-eu/docs repo [[#635](https://github.com/opencloud-eu/opencloud/pull/635)]
-
-### 🐛 Bug Fixes
-
-- Makefile: fix protobuf dependencies [[#714](https://github.com/opencloud-eu/opencloud/pull/714)]
-- Some smaller Makefile adjustments [[#709](https://github.com/opencloud-eu/opencloud/pull/709)]
-- fix(decomposeds3): enable async-uploads by default [[#686](https://github.com/opencloud-eu/opencloud/pull/686)]
-- fix deployment: do not create demo accounts when using keycloak [[#671](https://github.com/opencloud-eu/opencloud/pull/671)]
-- fix: web dev docs broken links [[#633](https://github.com/opencloud-eu/opencloud/pull/633)]
-- fix inbucket setup [[#619](https://github.com/opencloud-eu/opencloud/pull/619)]
-
-### ✅ Tests
-
-- update test docs [[#652](https://github.com/opencloud-eu/opencloud/pull/652)]
-
-### 📦️ Dependencies
-
-- chore:reva bump v.2.32 [[#737](https://github.com/opencloud-eu/opencloud/pull/737)]
-- build(deps): bump golang.org/x/image from 0.25.0 to 0.26.0 [[#726](https://github.com/opencloud-eu/opencloud/pull/726)]
-- build(deps): bump golang.org/x/net from 0.38.0 to 0.39.0 [[#725](https://github.com/opencloud-eu/opencloud/pull/725)]
-- build(deps): bump github.com/nats-io/nats.go from 1.41.0 to 1.41.2 [[#722](https://github.com/opencloud-eu/opencloud/pull/722)]
-- build(deps): bump google.golang.org/grpc from 1.71.1 to 1.72.0 [[#721](https://github.com/opencloud-eu/opencloud/pull/721)]
-- build(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.29.0 [[#602](https://github.com/opencloud-eu/opencloud/pull/602)]
-- build(deps): bump @testing-library/jest-dom from 6.4.8 to 6.6.3 in /services/idp [[#666](https://github.com/opencloud-eu/opencloud/pull/666)]
-- build(deps): bump golang.org/x/text from 0.23.0 to 0.24.0 [[#641](https://github.com/opencloud-eu/opencloud/pull/641)]
-- build(deps-dev): bump webpack from 5.96.1 to 5.99.6 in /services/idp [[#707](https://github.com/opencloud-eu/opencloud/pull/707)]
-- build(deps): bump github.com/nats-io/nats-server/v2 from 2.11.0 to 2.11.1 [[#679](https://github.com/opencloud-eu/opencloud/pull/679)]
-- build(deps): bump github.com/onsi/ginkgo/v2 from 2.23.3 to 2.23.4 [[#637](https://github.com/opencloud-eu/opencloud/pull/637)]
-- build(deps): bump github.com/coreos/go-oidc/v3 from 3.13.0 to 3.14.1 [[#603](https://github.com/opencloud-eu/opencloud/pull/603)]
-- build(deps-dev): bump typescript from 5.7.3 to 5.8.3 in /services/idp [[#604](https://github.com/opencloud-eu/opencloud/pull/604)]
-
 ## [2.1.0](https://github.com/opencloud-eu/opencloud/releases/tag/v2.1.0) - 2025-04-07
 
 ### ❤️ Thanks to all contributors! ❤️

Makefile

@@ -78,6 +78,8 @@ ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warn
 include .bingo/Variables.mk
 endif
 
+include .make/recursion.mk
+
 .PHONY: help
 help:
 	@echo "Please use 'make <target>' where <target> is one of the following:"

deployments/examples/bare-metal-simple/install.sh

@@ -34,19 +34,10 @@ function backup_file () {
     fi
 }
 
-function get_latest_version() {
-     latest_version=$(curl -s https://api.github.com/repos/opencloud-eu/opencloud/releases/latest \
-	     | grep '"tag_name":' \
-	     | awk -F: '{print $2}' \
-         | tr -d ' ",v')
-}
-
 # URL pattern of the download file
 # https://github.com/opencloud-eu/opencloud/releases/download/v1.0.0/opencloud-1.0.0-linux-amd64
 
-get_latest_version
-
-dlversion="${OC_VERSION:-$latest_version}"
+dlversion="${OC_VERSION:-2.0.0}"
 dlurl="https://github.com/opencloud-eu/opencloud/releases/download/v${dlversion}/"
 
 sandbox="opencloud-sandbox-${dlversion}"

deployments/examples/opencloud_full/.env

@@ -193,8 +193,7 @@ COLLABORA_ADMIN_USER=
 # Admin password for Collabora.
 # Defaults to "admin".
 COLLABORA_ADMIN_PASSWORD=
-# Set to true to enable SSL handling in Collabora Online, this is only required if you are not using a reverse proxy.
-# Default is true if not specified.
+# Set to true to enable SSL for Collabora Online. Default is true if not specified.
 COLLABORA_SSL_ENABLE=false
 # If you're on an internet-facing server, enable SSL verification for Collabora Online.
 # Please comment out the following line:
@@ -251,38 +250,9 @@ INBUCKET_DOMAIN=
 # Path separator for supplemental compose files specified in COMPOSE_FILE.
 COMPOSE_PATH_SEPARATOR=:
 
-### Ldap Settings ###
-# LDAP is always needed for OpenCloud to store user data as there is no relational database.
-# The built-in LDAP server should used for testing purposes or small installations only.
-# For production installations, it is recommended to use an external LDAP server.
-# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable.
-# This LDAP configuration is known to work with OpenCloud and provides a blueprint for
-# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers.
-#
-# Note: the leading colon is required to enable the service.
-LDAP=:ldap.yml
-# Password of LDAP user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin"
-LDAP_ADMIN_PASSWORD=
-# LDAP manager
-# login with uid ldapadmin and password
-LDAP_MANAGER=:../shared/config/ldap/docker-compose.yml
-# LDAP manager domain. Defaults to "ldap.opencloud.test"
-LDAP_MANAGER_DOMAIN=
-
 ### Keycloak Settings ###
-# Keycloak is an open-source identity and access management solution.
-# We are using Keycloak as the default identity provider on production installations.
-# It can be used to federate authentication with other identity providers like
-# Microsoft Entra ID, ADFS or other SAML/OIDC providers.
-# The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the
-# authentication process, the allowed clients and the session management.
-# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud.
-# Keycloak can be used in two different modes:
-# 1. Autoprovisioning: New are automatically created in openCloud when they log in for the first time.
-# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately
-# because the LDAP server is connected to both Keycloak and OpenCloud.
 # Note: the leading colon is required to enable the service.
-KEYCLOAK=:keycloak.yml
+#KEYCLOAK=:keycloak.yml
 # Domain for Keycloak. Defaults to "keycloak.opencloud.test".
 KEYCLOAK_DOMAIN=
 # Realm which to be used with OpenCloud. Defaults to "OpenCloud"
@@ -291,11 +261,20 @@ KEYCLOAK_REALM=
 KEYCLOAK_ADMIN_USER=
 # Admin user login password. Defaults to "admin"
 KEYCLOAK_ADMIN_PASSWORD=
-# Autoprovisioning mode. Defaults to "true"
-KEYCLOAK_AUTOPROVISIONING=:keycloak-autoprovisioning.yml
+
+### Ldap Settings ###
+# Note: the leading colon is required to enable the service.
+#LDAP=:ldap.yml
+# Password of LDAP user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin"
+LDAP_ADMIN_PASSWORD=
+# LDAP manager
+# login with uid ldapadmin and password
+#LDAP_MANAGER=:../shared/config/ldap/docker-compose.yml
+# LDAP manager domain. Defaults to "ldap.opencloud.test"
+LDAP_MANAGER_DOMAIN=
 
 ## IMPORTANT ##
 # This MUST be the last line as it assembles the supplemental compose files to be used.
 # ALL supplemental configs must be added here, whether commented or not.
 # Each var must either be empty or contain :path/file.yml
-COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${KEYCLOAK_AUTOPROVISIONING:-}${LDAP_MANAGER:-}
+COMPOSE_FILE=docker-compose.yml${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${ONLYOFFICE:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${LDAP_MANAGER:-}

deployments/examples/opencloud_full/README.md

@@ -6,12 +6,12 @@ document this deployment example in: docs/opencloud/deployment/opencloud_full.md
 
 This deployment example is documented in two locations for different audiences:
 
-* In the [Admin Documentation](https://docs.opencloud.eu/docs/admin/intro)\
+* In the [Admin Documentation](https://docs.opencloud.eu/opencloud/latest/index.html)\
   Providing two variants using detailed configuration step by step guides:\
-  [Docker Compose Setup](https://docs.opencloud.eu/docs/admin/getting-started/docker/docker-compose) and [Docker Compose Local](https://docs.opencloud.eu/docs/admin/getting-started/docker/docker-compose-local).\
+  [Local Production Setup](https://docs.opencloud.eu/opencloud/next/depl-examples/ubuntu-compose/ubuntu-compose-prod.html) and [Deploy OpenCloud on the Hetzner Cloud](https://docs.opencloud.eu/opencloud/next/depl-examples/ubuntu-compose/ubuntu-compose-hetzner.html).\
   Note that these examples use LetsEncrypt certificates and are intended for production use.
 
-* In the [Developer Documentation](https://docs.opencloud.eu/docs/dev/intro)\
+* In the [Developer Documentation](https://docs.opencloud.eu/opencloud/deployment/opencloud_full/)\
   Providing details which are more developer focused. This description can also be used when deviating from the default.\
   Note that this examples uses self signed certificates and is intended for testing purposes.
 

deployments/examples/opencloud_full/config/keycloak/docker-entrypoint-override.sh

@@ -1,8 +1,8 @@
 #!/bin/bash
 printenv
-# replace openCloud domain and LDAP password in keycloak realm import
+# replace openCloud domain in keycloak realm import
 mkdir /opt/keycloak/data/import
-sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" -e "s/ldap-admin-password/${LDAP_ADMIN_PASSWORD:-admin}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json
+sed -e "s/cloud.opencloud.test/${OC_DOMAIN}/g" /opt/keycloak/data/import-dist/opencloud-realm.json > /opt/keycloak/data/import/opencloud-realm.json
 
 # run original docker-entrypoint
 /opt/keycloak/bin/kc.sh "$@"

deployments/examples/opencloud_full/config/ldap/ldif/10_base.ldif

@@ -18,7 +18,3 @@ uid: ldapadmin
 dn: ou=groups,dc=opencloud,dc=eu
 objectClass: organizationalUnit
 ou: groups
-
-dn: ou=custom,ou=groups,dc=opencloud,dc=eu
-objectClass: organizationalUnit
-ou: custom

deployments/examples/opencloud_full/config/ldap/ldif/20_users.ldif

@@ -2,7 +2,9 @@
 dn: uid=alan,ou=users,dc=opencloud,dc=eu
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
+objectClass: openCloudUser
 objectClass: person
+objectClass: posixAccount
 objectClass: top
 uid: alan
 givenName: Alan
@@ -11,12 +13,18 @@ cn: alan
 displayName: Alan Turing
 description:  An English mathematician, computer scientist, logician, cryptanalyst, philosopher and theoretical biologist. He was highly influential in the development of theoretical computer science, providing a formalisation of the concepts of algorithm and computation with the Turing machine.
 mail: alan@example.org
+uidNumber: 20000
+gidNumber: 30000
+homeDirectory: /home/alan
+openCloudUUID: b1f74ec4-dd7e-11ef-a543-03775734d0f7
 userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
 
 dn: uid=lynn,ou=users,dc=opencloud,dc=eu
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
+objectClass: openCloudUser
 objectClass: person
+objectClass: posixAccount
 objectClass: top
 uid: lynn
 givenName: Lynn
@@ -25,12 +33,19 @@ cn: lynn
 displayName: Lynn Conway
 description:  An American computer scientist, electrical engineer, and transgender activist.
 mail: lynn@example.org
+uidNumber: 20001
+gidNumber: 30000
+homeDirectory: /home/lynn
+openCloudUserEnabled: TRUE
+openCloudUUID: 60708dda-e897-11ef-919f-bbb7437d6ec2
 userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
 
 dn: uid=mary,ou=users,dc=opencloud,dc=eu
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
+objectClass: openCloudUser
 objectClass: person
+objectClass: posixAccount
 objectClass: top
 uid: mary
 givenName: Mary
@@ -39,12 +54,19 @@ cn: mary
 displayName: Mary Kenneth Keller
 description: Mary Kenneth Keller of the Sisters of Charity of the Blessed Virgin Mary was a pioneer in computer science.
 mail: mary@example.org
+uidNumber: 20002
+gidNumber: 30000
+homeDirectory: /home/mary
+openCloudUserEnabled: TRUE
+openCloudUUID: 056fc874-dd7f-11ef-ba84-af6fca4b7289
 userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
 
 dn: uid=margaret,ou=users,dc=opencloud,dc=eu
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
+objectClass: openCloudUser
 objectClass: person
+objectClass: posixAccount
 objectClass: top
 uid: margaret
 givenName: Margaret
@@ -53,12 +75,19 @@ cn: margaret
 displayName: Margaret Hamilton
 description: A director of the Software Engineering Division of the MIT Instrumentation Laboratory, which developed on-board flight software for NASA's Apollo program.
 mail: margaret@example.org
+uidNumber: 20003
+gidNumber: 30000
+homeDirectory: /home/margaret
+openCloudUserEnabled: TRUE
+openCloudUUID: 801abee4-dd7f-11ef-a324-83f55a754b62
 userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
 
 dn: uid=dennis,ou=users,dc=opencloud,dc=eu
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
+objectClass: openCloudUser
 objectClass: person
+objectClass: posixAccount
 objectClass: top
 uid: dennis
 givenName: Dennis
@@ -67,12 +96,19 @@ cn: dennis
 displayName: Dennis Ritchie
 description: American computer scientist. He created the C programming language and the Unix operating system and B language with long-time colleague Ken Thompson.
 mail: dennis@example.org
+uidNumber: 20004
+gidNumber: 30000
+homeDirectory: /home/dennis
+openCloudUserEnabled: TRUE
+openCloudUUID: cd88bf9a-dd7f-11ef-a609-7f78deb2345f
 userPassword:: e1NTSEF9Y2ZMdVlqMTBDUFpLWE44VC9mQ0FzYnFHQmtyZExJeGg=
 
 dn: uid=admin,ou=users,dc=opencloud,dc=eu
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
+objectClass: openCloudUser
 objectClass: person
+objectClass: posixAccount
 objectClass: top
 uid: admin
 givenName: Admin
@@ -81,4 +117,9 @@ cn: admin
 displayName: Admin
 description: An admin for this OpenCloud instance.
 mail: admin@example.org
+uidNumber: 20005
+gidNumber: 30000
+homeDirectory: /home/admin
+openCloudUserEnabled: TRUE
+openCloudUUID: f7fc96f6-ceb4-4387-bd69-07a6d7992973
 userPassword:: e1NTSEF9UWhmaFB3dERydTUydURoWFFObDRMbzVIckI3TkI5Nmo==

deployments/examples/opencloud_full/config/ldap/ldif/30_groups.ldif

@@ -1,8 +1,10 @@
 dn: cn=users,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
+objectClass: openCloudObject
 objectClass: top
 cn: users
 description: Users
+openCloudUUID: 509a9dcd-bb37-4f4f-a01a-19dca27d9cfa
 member: uid=alan,ou=users,dc=opencloud,dc=eu
 member: uid=mary,ou=users,dc=opencloud,dc=eu
 member: uid=margaret,ou=users,dc=opencloud,dc=eu
@@ -12,58 +14,74 @@ member: uid=admin,ou=users,dc=opencloud,dc=eu
 
 dn: cn=chess-lovers,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
+objectClass: openCloudObject
 objectClass: top
 cn: chess-lovers
 description: Chess lovers
+openCloudUUID: 9d31ec04-dd80-11ef-ac47-a38ba68cc36d
 member: uid=alan,ou=users,dc=opencloud,dc=eu
 
 dn: cn=machine-lovers,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
+objectClass: openCloudObject
 objectClass: top
 cn: machine-lovers
 description: Machine Lovers
+openCloudUUID: d901562a-dd80-11ef-a510-fba1ed43fb21
 member: uid=alan,ou=users,dc=opencloud,dc=eu
 
 dn: cn=bible-readers,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
+objectClass: openCloudObject
 objectClass: top
 cn: bible-readers
 description: Bible readers
+openCloudUUID: 2fc6ba22-dd81-11ef-89e6-e3eff494a998
 member: uid=mary,ou=users,dc=opencloud,dc=eu
 
 dn: cn=apollos,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
+objectClass: openCloudObject
 objectClass: top
 cn: apollos
 description: Contributors to the Appollo mission
+openCloudUUID: 6f9bab36-dd94-11ef-a252-dbbdd20299dd
 member: uid=margaret,ou=users,dc=opencloud,dc=eu
 
 dn: cn=unix-lovers,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
+objectClass: openCloudObject
 objectClass: top
 cn: unix-lovers
 description: Unix lovers
+openCloudUUID: 75bc3882-dd94-11ef-ad60-335f3df6cef3
 member: uid=dennis,ou=users,dc=opencloud,dc=eu
 
 dn: cn=basic-haters,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
+objectClass: openCloudObject
 objectClass: top
 cn: basic-haters
 description: Haters of the Basic programming language
+openCloudUUID: a4eb2c12-dd94-11ef-9ebe-eb96f938d517
 member: uid=dennis,ou=users,dc=opencloud,dc=eu
 
 dn: cn=vlsi-lovers,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
+objectClass: openCloudObject
 objectClass: top
 cn: vlsi-lovers
 description: Lovers of VLSI microchip design
+openCloudUUID: 914ce3de-e899-11ef-9a4b-732fbb2acc42
 member: uid=lynn,ou=users,dc=opencloud,dc=eu
 
 dn: cn=programmers,ou=groups,dc=opencloud,dc=eu
 objectClass: groupOfNames
+objectClass: openCloudObject
 objectClass: top
 cn: programmers
 description: Computer Programmers
+openCloudUUID: ce4aa240-dd94-11ef-82b8-4f4828849072
 member: uid=alan,ou=users,dc=opencloud,dc=eu
 member: uid=margaret,ou=users,dc=opencloud,dc=eu
 member: uid=dennis,ou=users,dc=opencloud,dc=eu

deployments/examples/opencloud_full/config/opencloud/app-registry.yaml

@@ -12,49 +12,49 @@ app_registry:
     name: OpenDocument
     description: OpenDocument text document
     icon: ''
-    default_app: CollaboraOnline
+    default_app: Collabora
     allow_creation: true
   - mime_type: application/vnd.oasis.opendocument.spreadsheet
     extension: ods
     name: OpenSpreadsheet
     description: OpenDocument spreadsheet document
     icon: ''
-    default_app: CollaboraOnline
+    default_app: Collabora
     allow_creation: true
   - mime_type: application/vnd.oasis.opendocument.presentation
     extension: odp
     name: OpenPresentation
     description: OpenDocument presentation document
     icon: ''
-    default_app: CollaboraOnline
+    default_app: Collabora
     allow_creation: true
   - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
     extension: docx
     name: Microsoft Word
     description: Microsoft Word document
     icon: ''
-    default_app: CollaboraOnline
+    default_app: OnlyOffice
     allow_creation: true
   - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.form
     extension: docxf
     name: Form Document
     description: Form Document
     icon: ''
-    default_app: CollaboraOnline
+    default_app: OnlyOffice
     allow_creation: true
   - mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
     extension: xlsx
     name: Microsoft Excel
     description: Microsoft Excel document
     icon: ''
-    default_app: CollaboraOnline
+    default_app: OnlyOffice
     allow_creation: true
   - mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation
     extension: pptx
     name: Microsoft PowerPoint
     description: Microsoft PowerPoint document
     icon: ''
-    default_app: CollaboraOnline
+    default_app: OnlyOffice
     allow_creation: true
   - mime_type: application/vnd.jupyter
     extension: ipynb

deployments/examples/opencloud_full/keycloak-autoprovisioning.yml

@@ -1,41 +0,0 @@
----
-services:
-  opencloud:
-    environment:
-      # Keycloak IDP specific configuration for auto-provisioning
-      OC_LDAP_SERVER_WRITE_ENABLED: "true"
-      PROXY_AUTOPROVISION_ACCOUNTS: "true"
-      # Use the `sub` claim from keycloak for the user ID
-      # Keycloak uses the keycloak user ID as the `sub` claim
-      PROXY_USER_OIDC_CLAIM: "sub"
-      # Use the `sub` claim as identifier during autoprovisioning
-      # That mitigates problems when a user is renamed in keycloak
-      PROXY_AUTOPROVISION_CLAIM_USERNAME: "sub"
-      PROXY_USER_CS3_CLAIM: "username"
-      # This triggers the creation of the opencloudUUID during the provisioning of users and groups
-      GRAPH_LDAP_SERVER_UUID: "false"
-      # This is the default value, we need to set it here because we overwrite the values
-      OC_LDAP_USER_SCHEMA_ID: "opencloudUUID"
-      # This is the default value, we need to set it here because we overwrite the values
-      OC_LDAP_GROUP_SCHEMA_ID: "opencloudUUID"
-      # This is the default value, we need to set it here because we overwrite the values
-      OC_LDAP_DISABLE_USER_MECHANISM: "attribute"
-      # These values should only be set in keycloak, because opencloud updates them from the claims
-      FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.memberOf"
-  ldap-server:
-    volumes:
-      # Use an empty named volume to overwrite the inherited values
-      - empty-dir:/ldifs
-      # Only use the base ldif file to create the base structure
-      - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
-      # Use the custom schema from opencloud because we are in full control of the ldap server
-      - ../shared/config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
-      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
-      - ldap-certs:/opt/bitnami/openldap/share
-      - ldap-data:/bitnami/openldap
-  keycloak:
-    volumes:
-      - "./config/keycloak/docker-entrypoint-override.sh:/opt/keycloak/bin/docker-entrypoint-override.sh"
-      - "./config/keycloak/opencloud-realm-autoprovisioning.dist.json:/opt/keycloak/data/import-dist/opencloud-realm.json"
-volumes:
-  empty-dir:

deployments/examples/opencloud_full/keycloak.yml

@@ -9,20 +9,23 @@ services:
   opencloud:
     environment:
       # Keycloak IDP specific configuration
-      PROXY_AUTOPROVISION_ACCOUNTS: "false"
+      PROXY_AUTOPROVISION_ACCOUNTS: "true"
       PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
       OC_OIDC_ISSUER: https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}
       PROXY_OIDC_REWRITE_WELLKNOWN: "true"
       WEB_OIDC_CLIENT_ID: ${OC_OIDC_CLIENT_ID:-web}
-      PROXY_USER_OIDC_CLAIM: "uuid"
-      PROXY_USER_CS3_CLAIM: "userid"
-      WEB_OPTION_ACCOUNT_EDIT_LINK_HREF: "https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}/account"
+
+      PROXY_USER_OIDC_CLAIM: "preferred_username"
+      PROXY_USER_CS3_CLAIM: "username"
+      OC_EXCLUDE_RUN_SERVICES: "idp"
+      
       # admin and demo accounts must be created in Keycloak
       OC_ADMIN_USER_ID: ""
       SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
+
       GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
       GRAPH_USERNAME_MATCH: "none"
-      KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}
+      KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.opencloud.test} 
 
   postgres:
     image: postgres:alpine

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/ggwhite/go-masker v1.1.0
 	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-chi/render v1.0.3
-	github.com/go-ldap/ldap/v3 v3.4.11
+	github.com/go-ldap/ldap/v3 v3.4.10
 	github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3
 	github.com/go-micro/plugins/v4/client/grpc v1.2.1
 	github.com/go-micro/plugins/v4/logger/zerolog v1.2.0
@@ -51,24 +51,24 @@ require (
 	github.com/kovidgoyal/imaging v1.6.4
 	github.com/leonelquinteros/gotext v1.7.1
 	github.com/libregraph/idm v0.5.0
-	github.com/libregraph/lico v0.65.2-0.20250428103211-356e98f98457
+	github.com/libregraph/lico v0.65.1
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/mna/pigeon v1.3.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	github.com/nats-io/nats-server/v2 v2.11.1
-	github.com/nats-io/nats.go v1.41.2
+	github.com/nats-io/nats-server/v2 v2.11.0
+	github.com/nats-io/nats.go v1.41.0
 	github.com/oklog/run v1.1.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.37.0
 	github.com/open-policy-agent/opa v1.3.0
-	github.com/opencloud-eu/reva/v2 v2.32.0
+	github.com/opencloud-eu/reva/v2 v2.31.0
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/owncloud/libre-graph-api-go v1.0.5-0.20240829135935-80dc00d6f5ea
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/xattr v0.4.10
-	github.com/prometheus/client_golang v1.22.0
+	github.com/prometheus/client_golang v1.21.1
 	github.com/r3labs/sse/v2 v2.10.0
 	github.com/riandyrn/otelchi v0.12.1
 	github.com/rogpeppe/go-internal v1.14.1
@@ -96,16 +96,16 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0
 	go.opentelemetry.io/otel/sdk v1.35.0
 	go.opentelemetry.io/otel/trace v1.35.0
-	golang.org/x/crypto v0.37.0
+	golang.org/x/crypto v0.36.0
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
-	golang.org/x/image v0.26.0
-	golang.org/x/net v0.39.0
-	golang.org/x/oauth2 v0.29.0
-	golang.org/x/sync v0.13.0
-	golang.org/x/term v0.31.0
-	golang.org/x/text v0.24.0
+	golang.org/x/image v0.25.0
+	golang.org/x/net v0.38.0
+	golang.org/x/oauth2 v0.28.0
+	golang.org/x/sync v0.12.0
+	golang.org/x/term v0.30.0
+	golang.org/x/text v0.23.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb
-	google.golang.org/grpc v1.72.0
+	google.golang.org/grpc v1.71.1
 	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools/v3 v3.5.2
@@ -152,7 +152,7 @@ require (
 	github.com/bluele/gcache v0.0.2 // indirect
 	github.com/bombsimon/logrusr/v3 v3.1.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/ceph/go-ceph v0.33.0 // indirect
+	github.com/ceph/go-ceph v0.32.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cevaris/ordered_map v0.0.0-20190319150403-3adeae072e73 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
@@ -179,7 +179,7 @@ require (
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/gdexlab/go-render v1.0.1 // indirect
 	github.com/go-acme/lego/v4 v4.4.0 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-git/go-git/v5 v5.13.2 // indirect
@@ -197,7 +197,7 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/go-resty/resty/v2 v2.7.0 // indirect
-	github.com/go-sql-driver/mysql v1.9.2 // indirect
+	github.com/go-sql-driver/mysql v1.9.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
@@ -232,7 +232,7 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jonboulle/clockwork v0.5.0 // indirect
+	github.com/jonboulle/clockwork v0.2.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/juliangruber/go-intersect v1.1.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
@@ -262,7 +262,7 @@ require (
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nats-io/jwt/v2 v2.7.3 // indirect
-	github.com/nats-io/nkeys v0.4.11 // indirect
+	github.com/nats-io/nkeys v0.4.10 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
@@ -282,7 +282,7 @@ require (
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rs/xid v1.6.0 // indirect
-	github.com/russellhaering/goxmldsig v1.5.0 // indirect
+	github.com/russellhaering/goxmldsig v1.4.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/segmentio/kafka-go v0.4.47 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect

go.sum

@@ -130,6 +130,7 @@ github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk
 github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/bbalet/stopwords v1.0.0 h1:0TnGycCtY0zZi4ltKoOGRFIlZHv0WqpoIGUsObjztfo=
 github.com/bbalet/stopwords v1.0.0/go.mod h1:sAWrQoDMfqARGIn4s6dp7OW7ISrshUD8IP2q3KoqPjc=
+github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/beevik/etree v1.5.0 h1:iaQZFSDS+3kYZiGoc9uKeOkUY3nYMXOKLl6KIJxiJWs=
 github.com/beevik/etree v1.5.0/go.mod h1:gPNJNaBGVZ9AwsidazFZyygnd+0pAU38N4D+WemwKNs=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
@@ -202,8 +203,8 @@ github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK3
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/ceph/go-ceph v0.33.0 h1:xT9v/MAa+DIBmflyITyFkGRgWngATghGegKJguEOInQ=
-github.com/ceph/go-ceph v0.33.0/go.mod h1:6ef0lIyDHnwArykqfWZDWCfbbJAVTXL1tOYrM1M4bAE=
+github.com/ceph/go-ceph v0.32.0 h1:iXRUGdPmH7h9Vf/WA1Dg3Wo1tgL7gcUbylfpbxrlGLs=
+github.com/ceph/go-ceph v0.32.0/go.mod h1:42eoJzyLS3VREzqrg2ot44NtuluQZi55hFRSoLF36GQ=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -236,6 +237,7 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo=
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
 github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
@@ -331,8 +333,8 @@ github.com/go-acme/lego/v4 v4.4.0 h1:uHhU5LpOYQOdp3aDU+XY2bajseu8fuExphTL1Ss6/Fc
 github.com/go-acme/lego/v4 v4.4.0/go.mod h1:l3+tFUFZb590dWcqhWZegynUthtaHJbG2fevUpoOOE0=
 github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-asn1-ber/asn1-ber v1.4.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
-github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
+github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-chi/chi v4.0.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
 github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
 github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
@@ -365,8 +367,8 @@ github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBj
 github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=
 github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
 github.com/go-ldap/ldap/v3 v3.1.7/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
-github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
-github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
+github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
+github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3 h1:sfz1YppV05y4sYaW7kXZtrocU/+vimnIWt4cxAYh7+o=
 github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3/go.mod h1:ZXFhGda43Z2TVbfGZefXyMJzsDHhCh0go3bZUcwTx7o=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
@@ -416,8 +418,8 @@ github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq
 github.com/go-resty/resty/v2 v2.1.1-0.20191201195748-d7b97669fe48/go.mod h1:dZGr0i9PLlaaTD4H/hoZIDjQ+r6xq8mgbRzHZf7f2J8=
 github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY=
 github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I=
-github.com/go-sql-driver/mysql v1.9.2 h1:4cNKDYQ1I84SXslGddlsrMhc8k4LeDVj6Ad6WRjiHuU=
-github.com/go-sql-driver/mysql v1.9.2/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
+github.com/go-sql-driver/mysql v1.9.1 h1:FrjNGn/BsJQjVRuSa8CBrM5BWA9BWoXXat3KrtSb/iI=
+github.com/go-sql-driver/mysql v1.9.1/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
@@ -445,8 +447,8 @@ github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeH
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
 github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gofrs/uuid/v5 v5.3.2 h1:2jfO8j3XgSwlz/wHqemAEugfnTlikAYHhnqQ8Xh4fE0=
-github.com/gofrs/uuid/v5 v5.3.2/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
+github.com/gofrs/uuid/v5 v5.3.0 h1:m0mUMr+oVYUdxpMLgSYCZiXe7PuVPnI94+OMeVBNedk=
+github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
@@ -570,6 +572,8 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/schema v1.4.1 h1:jUg5hUjCSDZpNGLuXQOgIWGdlgrIdYvgQ0wZtdK1M3E=
 github.com/gorilla/schema v1.4.1/go.mod h1:Dg5SSm5PV60mhF2NFaTV1xuYYj8tV8NOPRo4FggUMnM=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
@@ -656,8 +660,8 @@ github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHW
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
-github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
+github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
+github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -701,6 +705,8 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -719,8 +725,8 @@ github.com/leonelquinteros/gotext v1.7.1 h1:/JNPeE3lY5JeVYv2+KBpz39994W3W9fmZCGq
 github.com/leonelquinteros/gotext v1.7.1/go.mod h1:I0WoFDn9u2D3VbPnnDPT8mzZu0iSXG8iih+AH2fHHqg=
 github.com/libregraph/idm v0.5.0 h1:tDMwKbAOZzdeDYMxVlY5PbSqRKO7dbAW9KT42A51WSk=
 github.com/libregraph/idm v0.5.0/go.mod h1:BGMwIQ/6orJSPVzJ1x6kgG2JyG9GY05YFmbsnaD80k0=
-github.com/libregraph/lico v0.65.2-0.20250428103211-356e98f98457 h1:cwmUM+mSeqWYtZKAHn8QN7ns1nNf3Pc8nUfShka9+x0=
-github.com/libregraph/lico v0.65.2-0.20250428103211-356e98f98457/go.mod h1:2s2UkO0pY7/k1UlenXwio1qenfHZ217Npx22YyZJfSA=
+github.com/libregraph/lico v0.65.1 h1:7ENAoAgbetZkJSwa1dMMP5WvXMTQ5E/3LI4uRDhwjEk=
+github.com/libregraph/lico v0.65.1/go.mod h1:6w+kgoTYiXpJ7VriAaKJfeyF0eV/Stapd9pnK64du84=
 github.com/libregraph/oidc-go v1.1.0 h1:RyudjL3UyQblqeBQI06W53PniWobqODeeyAy6v/HumA=
 github.com/libregraph/oidc-go v1.1.0/go.mod h1:qW9ubcXvZrfbbWZBaLMuk7bt5qAUMYyt9/NtXQt07Cw=
 github.com/linode/linodego v0.25.3/go.mod h1:GSBKPpjoQfxEfryoCRcgkuUOCuVtGHWhzI8OMdycNTE=
@@ -821,12 +827,12 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW
 github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04/go.mod h1:5sN+Lt1CaY4wsPvgQH/jsuJi4XO2ssZbdsIizr4CVC8=
 github.com/nats-io/jwt/v2 v2.7.3 h1:6bNPK+FXgBeAqdj4cYQ0F8ViHRbi7woQLq4W29nUAzE=
 github.com/nats-io/jwt/v2 v2.7.3/go.mod h1:GvkcbHhKquj3pkioy5put1wvPxs78UlZ7D/pY+BgZk4=
-github.com/nats-io/nats-server/v2 v2.11.1 h1:LwdauqMqMNhTxTN3+WFTX6wGDOKntHljgZ+7gL5HCnk=
-github.com/nats-io/nats-server/v2 v2.11.1/go.mod h1:leXySghbdtXSUmWem8K9McnJ6xbJOb0t9+NQ5HTRZjI=
-github.com/nats-io/nats.go v1.41.2 h1:5UkfLAtu/036s99AhFRlyNDI1Ieylb36qbGjJzHixos=
-github.com/nats-io/nats.go v1.41.2/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
-github.com/nats-io/nkeys v0.4.11 h1:q44qGV008kYd9W1b1nEBkNzvnWxtRSQ7A8BoqRrcfa0=
-github.com/nats-io/nkeys v0.4.11/go.mod h1:szDimtgmfOi9n25JpfIdGw12tZFYXqhGxjhVxsatHVE=
+github.com/nats-io/nats-server/v2 v2.11.0 h1:fdwAT1d6DZW/4LUz5rkvQUe5leGEwjjOQYntzVRKvjE=
+github.com/nats-io/nats-server/v2 v2.11.0/go.mod h1:leXySghbdtXSUmWem8K9McnJ6xbJOb0t9+NQ5HTRZjI=
+github.com/nats-io/nats.go v1.41.0 h1:PzxEva7fflkd+n87OtQTXqCTyLfIIMFJBpyccHLE2Ko=
+github.com/nats-io/nats.go v1.41.0/go.mod h1:wV73x0FSI/orHPSYoyMeJB+KajMDoWyXmFaRrrYaaTo=
+github.com/nats-io/nkeys v0.4.10 h1:glmRrpCmYLHByYcePvnTBEAwawwapjCPMjy2huw20wc=
+github.com/nats-io/nkeys v0.4.10/go.mod h1:OjRrnIKnWBFl+s4YK5ChQfvHP2fxqZexrKJoVVyWB3U=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms=
@@ -859,8 +865,8 @@ github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
 github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/open-policy-agent/opa v1.3.0 h1:zVvQvQg+9+FuSRBt4LgKNzJwsWl/c85kD5jPozJTydY=
 github.com/open-policy-agent/opa v1.3.0/go.mod h1:t9iPNhaplD2qpiBqeudzJtEX3fKHK8zdA29oFvofAHo=
-github.com/opencloud-eu/reva/v2 v2.32.0 h1:JRWPleHiEl0film95Gkh1iBEhc6eikEsx5FKLfVx6l8=
-github.com/opencloud-eu/reva/v2 v2.32.0/go.mod h1:FDhGVC+ZsRRWdC3am4EbuILBtviTbCDVrTUjFECOqvg=
+github.com/opencloud-eu/reva/v2 v2.31.0 h1:UVgeb0hSPoaDdqcKSJ7XZAhXCtHaVK9qm/JtFtJM/7U=
+github.com/opencloud-eu/reva/v2 v2.31.0/go.mod h1:8MT1a/WJASZZhlSMC0oeE3ECQdjqFw3BUiiAIZ/JR8I=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
@@ -889,6 +895,7 @@ github.com/pierrec/lz4/v4 v4.1.15 h1:MO0/ucJhngq7299dKLwIMtgTfbkoSPF6AoMYDd8Q4q0
 github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
 github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -919,8 +926,8 @@ github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqr
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
+github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
+github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
 github.com/prometheus/client_model v0.0.0-20170216185247-6f3806018612/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
@@ -971,6 +978,8 @@ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
@@ -979,8 +988,8 @@ github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/russellhaering/goxmldsig v1.5.0 h1:AU2UkkYIUOTyZRbe08XMThaOCelArgvNfYapcmSjBNw=
-github.com/russellhaering/goxmldsig v1.5.0/go.mod h1:x98CjQNFJcWfMxeOrMnMKg70lvDP6tE0nTaeUnjXDmk=
+github.com/russellhaering/goxmldsig v1.4.0 h1:8UcDh/xGyQiyrW+Fq5t8f+l2DLB1+zlhYzkPUJ7Qhys=
+github.com/russellhaering/goxmldsig v1.4.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -1217,13 +1226,15 @@ golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1239,8 +1250,8 @@ golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScy
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
-golang.org/x/image v0.26.0 h1:4XjIFEZWQmCZi6Wv8BoxsDhRU3RVnLX04dToTDAEPlY=
-golang.org/x/image v0.26.0/go.mod h1:lcxbMFAovzpnJxzXS3nyL83K27tmqtKzIJpctK8YO5c=
+golang.org/x/image v0.25.0 h1:Y6uW6rH1y5y/LK1J8BPWZtr6yZ7hrsy6hFrXjgsc2fQ=
+golang.org/x/image v0.25.0/go.mod h1:tCAmOEGthTtkalusGp1g3xa2gke8J6c2N565dTyl9Rs=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1315,14 +1326,16 @@ golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1330,8 +1343,8 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
-golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
+golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1349,8 +1362,9 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180622082034-63fc586f45fe/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1431,6 +1445,7 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
 golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
@@ -1444,8 +1459,9 @@ golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1461,8 +1477,9 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1607,8 +1624,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM=
-google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/grpc v1.71.1 h1:ffsFWr7ygTUscGPI0KKK6TLrGz0476KUvvsbqWK0rPI=
+google.golang.org/grpc v1.71.1/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
 google.golang.org/grpc/examples v0.0.0-20211102180624-670c133e568e h1:m7aQHHqd0q89mRwhwS9Bx2rjyl/hsFAeta+uGrHsQaU=
 google.golang.org/grpc/examples v0.0.0-20211102180624-670c133e568e/go.mod h1:gID3PKrg7pWKntu9Ss6zTLJ0ttC0X9IHgREOCZwbCVU=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=

opencloud/Makefile

@@ -11,6 +11,7 @@ ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warn
 include ../.bingo/Variables.mk
 endif
 include ../.make/default.mk
+include ../.make/recursion.mk
 include ../.make/go.mk
 include ../.make/release.mk
 include ../.make/docs.mk

pkg/Makefile

@@ -5,6 +5,7 @@ ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warn
 include ../.bingo/Variables.mk
 endif
 include ../.make/default.mk
+include ../.make/recursion.mk
 include ../.make/go.mk
 include ../.make/release.mk
 include ../.make/docs.mk

pkg/version/version.go

@@ -16,7 +16,7 @@ var (
 	// LatestTag is the latest released version plus the dev meta version.
 	// Will be overwritten by the release pipeline
 	// Needs a manual change for every tagged release
-	LatestTag = "2.2.0+dev"
+	LatestTag = "2.1.0+dev"
 
 	// Date indicates the build date.
 	// This has been removed, it looks like you can only replace static strings with recent go versions

protogen/Makefile

@@ -5,6 +5,7 @@ ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warn
 include ../.bingo/Variables.mk
 endif
 include ../.make/default.mk
+include ../.make/recursion.mk
 include ../.make/generate.mk
 
 .PHONY: go-generate

services/activitylog/Makefile

@@ -8,6 +8,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/antivirus/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/app-provider/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/app-registry/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/audit/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/auth-app/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/auth-basic/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/auth-bearer/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/auth-machine/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/auth-service/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/clientlog/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/collaboration/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/eventhistory/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/frontend/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/gateway/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/graph/Makefile

@@ -8,12 +8,13 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
 
 .PHONY: go-generate
-go-generate: $(MOCKERY)
+go-generate:
 	$(MOCKERY)
 
 .PHONY: l10n-pull

services/groups/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/idm/Makefile

@@ -7,6 +7,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/idp/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk
@@ -15,16 +16,20 @@ node-generate-prod: assets
 
 .PHONY: assets
 assets: pnpm-build \
+		assets/identifier/static \
 		assets/identifier/static/favicon.svg \
 		assets/identifier/static/icon-lilac.svg
 
+assets/identifier/static:
+	mkdir -p assets/identifier/static
+
 .PHONY: assets/identifier/static/favicon.svg # force overwrite
-assets/identifier/static/favicon.svg: pnpm-build
+assets/identifier/static/favicon.svg:
 	cp src/images/favicon.svg assets/identifier/static/favicon.svg
 	rm assets/identifier/static/favicon.ico
 
 .PHONY: assets/identifier/static/icon-lilac.svg
-assets/identifier/static/icon-lilac.svg: pnpm-build
+assets/identifier/static/icon-lilac.svg:
 	cp src/images/icon-lilac.svg assets/identifier/static/icon-lilac.svg
 
 .PHONY: pnpm-build

services/idp/package.json

@@ -74,7 +74,7 @@
     "@fontsource/roboto": "^5.1.0",
     "@material-ui/core": "^4.12.4",
     "@material-ui/icons": "^4.11.3",
-    "@testing-library/jest-dom": "^6.6.3",
+    "@testing-library/jest-dom": "^6.4.8",
     "@testing-library/react": "^11.2.7",
     "@testing-library/user-event": "^14.5.2",
     "@types/jest": "^29.5.12",
@@ -150,7 +150,7 @@
     "source-map-explorer": "^2.5.3",
     "typescript": "^5.8.3",
     "url-loader": "4.1.1",
-    "webpack": "5.99.6",
+    "webpack": "5.96.1",
     "webpack-manifest-plugin": "5.0.0",
     "workbox-webpack-plugin": "7.1.0"
   },

services/idp/pkg/config/config.go

@@ -101,7 +101,6 @@ type Settings struct {
 	IdentifierScopesConf              string `yaml:"-"` // unused
 	IdentifierDefaultBannerLogo       string
 	IdentifierDefaultSignInPageText   string `yaml:"default_sign_in_page_text" env:"IDP_DEFAULT_SIGNIN_PAGE_TEXT" desc:"" introductionVersion:"2.0.0"`
-	IdentifierDefaultLogoTargetURI    string `yaml:"default_logo_target_uri" env:"IDP_DEFAULT_LOGO_TARGET_URI" desc:"Default logo target URI." introductionVersion:"%%NEXT%%"`
 	IdentifierDefaultUsernameHintText string
 	IdentifierUILocales               []string
 

services/idp/pkg/config/defaults/defaultconfig.go

@@ -58,7 +58,6 @@ func DefaultConfig() *config.Config {
 			IdentifierScopesConf:               "",
 			IdentifierDefaultBannerLogo:        "",
 			IdentifierDefaultSignInPageText:    "",
-			IdentifierDefaultLogoTargetURI:     "",
 			IdentifierDefaultUsernameHintText:  "",
 			SigningKid:                         "private-key",
 			SigningMethod:                      "PS256",

services/idp/pkg/service/v0/service.go

@@ -100,7 +100,6 @@ func NewService(opts ...Option) Service {
 		IdentifierScopesConf:              options.Config.IDP.IdentifierScopesConf,
 		IdentifierDefaultBannerLogo:       options.Config.IDP.IdentifierDefaultBannerLogo,
 		IdentifierDefaultSignInPageText:   options.Config.IDP.IdentifierDefaultSignInPageText,
-		IdentifierDefaultLogoTargetURI:    options.Config.IDP.IdentifierDefaultLogoTargetURI,
 		IdentifierDefaultUsernameHintText: options.Config.IDP.IdentifierDefaultUsernameHintText,
 		IdentifierUILocales:               options.Config.IDP.IdentifierUILocales,
 		SigningKid:                        options.Config.IDP.SigningKid,

services/idp/src/components/ResponsiveScreen.jsx

@@ -44,7 +44,6 @@ const ResponsiveScreen = (props) => {
     loading,
     children,
     className,
-    branding,
     ...other
   } = props;
   const { theme } = useContext(OpenCloudContext);
@@ -56,38 +55,21 @@ const ResponsiveScreen = (props) => {
   const content = loading ? <Loading/> : (withoutPadding ? children : <DialogContent>{children}</DialogContent>);
 
   return (
-    <Grid
-      container
-      justifyContent="center"
-      alignItems="center"
-      direction="column"
-      spacing={0}
-      className={classNames(classes.root, className)}
-      {...other}
-    >
-      <div className={classes.wrapper}>
-        <div className={classes.content}>
-          {branding?.signinPageLogoURI ? (
-            <a
-              href={branding.signinPageLogoURI}
-              target="_blank"
-              rel="noopener noreferrer"
-            >
+    <Grid container justifyContent="center" alignItems="center" direction="column" spacing={0}
+      className={classNames(classes.root, className)} {...other}>
+        <div className={classes.wrapper}>
+            <div className={classes.content}>
               {logo}
-            </a>
-          ) : (
-            logo
-          )}
-          <div className={"oc-card"}>
-            <div className={"oc-card-body"}>{content}</div>
-          </div>
+              <div className={'oc-card'}>
+                <div className={'oc-card-body'}>
+                {content}
+                </div>
+              </div>
+            </div>
         </div>
-      </div>
-      <footer className="oc-footer-message">
-        <Trans i18nKey="konnect.footer.slogan">
-          <strong>OpenCloud</strong> - excellent file sharing
-        </Trans>
-      </footer>
+        <footer className="oc-footer-message">
+              <Trans i18nKey="konnect.footer.slogan"><strong>OpenCloud</strong> - excellent file sharing</Trans>
+        </footer>
     </Grid>
   );
 };

services/invitations/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/nats/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/notifications/Makefile

@@ -8,6 +8,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/ocdav/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/ocm/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/ocs/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/policies/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/postprocessing/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/proxy/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/search/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/settings/Makefile

@@ -8,6 +8,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/sharing/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/sse/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/storage-publiclink/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/storage-shares/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/storage-system/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/storage-users/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/storage-users/pkg/config/config.go

@@ -214,12 +214,10 @@ type PosixDriver struct {
 
 	EnableFSRevisions bool `yaml:"enable_fs_revisions" env:"STORAGE_USERS_POSIX_ENABLE_FS_REVISIONS" desc:"Allow for generating revisions from changes done to the local storage. Note: This doubles the number of bytes stored on disk because a copy of the current revision is stored to be turned into a revision later." introductionVersion:"1.0.0"`
 
-	WatchFS                  bool          `yaml:"watch_fs" env:"STORAGE_USERS_POSIX_WATCH_FS" desc:"Enable the filesystem watcher to detect changes to the filesystem. This is used to detect changes to the filesystem and update the metadata accordingly." introductionVersion:"2.0.0"`
-	WatchType                string        `yaml:"watch_type" env:"STORAGE_USERS_POSIX_WATCH_TYPE" desc:"Type of the watcher to use for getting notified about changes to the filesystem. Currently available options are 'inotifywait' (default), 'cephfs', 'gpfswatchfolder' and 'gpfsfileauditlogging'." introductionVersion:"1.0.0"`
-	WatchPath                string        `yaml:"watch_path" env:"STORAGE_USERS_POSIX_WATCH_PATH" desc:"Path to the watch directory/file. Only applies to the 'gpfsfileauditlogging' and 'inotifywait' watcher, in which case it is the path of the file audit log file/base directory to watch." introductionVersion:"1.0.0"`
-	WatchNotificationBrokers string        `yaml:"watch_notification_brokers" env:"STORAGE_USERS_POSIX_WATCH_NOTIFICATION_BROKERS,STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS" desc:"Comma-separated list of kafka brokers to read the watchfolder events from." introductionVersion:"1.0.0" deprecationVersion:"%%NEXT%%" deprecationNotice:"STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS is deprecated and will be removed in a future version. Please use STORAGE_USERS_POSIX_WATCH_NOTIFICATION_BROKERS instead."`
-	WatchRoot                string        `yaml:"watch_root" env:"STORAGE_USERS_POSIX_WATCH_ROOT" desc:"Path to the watch root directory. Event paths will be considered relative to this path. Only applies to the 'gpswatchfolder' and 'cephfs' watchers." introductionVersion:"%%NEXT%%"`
-	InotifyStatsFrequency    time.Duration `yaml:"inotify_stats_frequency" env:"STORAGE_USERS_POSIX_INOTIFY_STATS_FREQUENCY" desc:"Frequency to log inotify stats." introductionVersion:"%%NEXT%%"`
+	WatchFS                 bool   `yaml:"watch_fs" env:"STORAGE_USERS_POSIX_WATCH_FS" desc:"Enable the filesystem watcher to detect changes to the filesystem. This is used to detect changes to the filesystem and update the metadata accordingly." introductionVersion:"2.0.0"`
+	WatchType               string `yaml:"watch_type" env:"STORAGE_USERS_POSIX_WATCH_TYPE" desc:"Type of the watcher to use for getting notified about changes to the filesystem. Currently available options are 'inotifywait' (default), 'gpfswatchfolder' and 'gpfsfileauditlogging'." introductionVersion:"1.0.0"`
+	WatchPath               string `yaml:"watch_path" env:"STORAGE_USERS_POSIX_WATCH_PATH" desc:"Path to the watch directory/file. Only applies to the 'gpfsfileauditlogging' and 'inotifywait' watcher, in which case it is the path of the file audit log file/base directory to watch." introductionVersion:"1.0.0"`
+	WatchFolderKafkaBrokers string `yaml:"watch_folder_kafka_hosts" env:"STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS" desc:"Comma-separated list of kafka brokers to read the watchfolder events from." introductionVersion:"1.0.0"`
 }
 
 // Events combines the configuration options for the event bus.

services/storage-users/pkg/config/defaults/defaultconfig.go

@@ -123,7 +123,6 @@ func DefaultConfig() *config.Config {
 				MaxConcurrency:             5,
 				LockCycleDurationFactor:    30,
 				DisableMultipart:           true,
-				AsyncUploads:               true,
 			},
 			Decomposed: config.DecomposedDriver{
 				Propagator:                 "sync",
@@ -152,7 +151,6 @@ func DefaultConfig() *config.Config {
 				ScanDebounceDelay:          1 * time.Second,
 				WatchFS:                    false,
 				EnableFSRevisions:          false,
-				InotifyStatsFrequency:      5 * time.Minute,
 			},
 		},
 		Events: config.Events{

services/storage-users/pkg/revaconfig/drivers.go

@@ -140,9 +140,7 @@ func Posix(cfg *config.Config, enableFSScan, enableFSWatch bool) map[string]inte
 		"watch_fs":                   enableFSWatch,
 		"watch_type":                 cfg.Drivers.Posix.WatchType,
 		"watch_path":                 cfg.Drivers.Posix.WatchPath,
-		"watch_notification_brokers": cfg.Drivers.Posix.WatchNotificationBrokers,
-		"watch_root":                 cfg.Drivers.Posix.WatchRoot,
-		"inotify_stats_frequency":    cfg.Drivers.Posix.InotifyStatsFrequency,
+		"watch_folder_kafka_brokers": cfg.Drivers.Posix.WatchFolderKafkaBrokers,
 	}
 }
 

services/thumbnails/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/userlog/Makefile

@@ -8,6 +8,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/users/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/web/Makefile

@@ -1,6 +1,6 @@
 SHELL := bash
 NAME := web
-WEB_ASSETS_VERSION = v2.3.0
+WEB_ASSETS_VERSION = v2.2.0
 WEB_ASSETS_BRANCH = main
 
 ifneq (, $(shell command -v go 2> /dev/null)) # suppress `command not found warnings` for non go targets in CI
@@ -8,6 +8,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/webdav/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

services/webfinger/Makefile

@@ -6,6 +6,7 @@ include ../../.bingo/Variables.mk
 endif
 
 include ../../.make/default.mk
+include ../../.make/recursion.mk
 include ../../.make/go.mk
 include ../../.make/release.mk
 include ../../.make/docs.mk

tests/config/woodpecker/check_go_bin_cache.sh

@@ -7,15 +7,13 @@
 
 ROOT_PATH="$1"
 if [ -z "$1" ]; then
-    ROOT_PATH="/drone/src"
+    ROOT_PATH="/woodpecker/src/github.com/opencloud-eu/opencloud"
 fi
 BINGO_DIR="$ROOT_PATH/.bingo"
 
 # generate hash of a .bingo folder
 BINGO_HASH=$(cat "$BINGO_DIR"/* | sha256sum | cut -d ' ' -f 1)
 
-URL="$CACHE_ENDPOINT/$CACHE_BUCKET/opencloud/go-bin/$BINGO_HASH/$2"
-
 mc alias set s3 "$MC_HOST" "$AWS_ACCESS_KEY_ID" "$AWS_SECRET_ACCESS_KEY"
 
 if mc ls --json s3/"$CACHE_BUCKET"/opencloud/go-bin/"$BINGO_HASH"/$2 | grep "\"status\":\"success\""; then

vendor/github.com/ceph/go-ceph/cephfs/directory.go

@@ -47,14 +47,7 @@ func (mount *MountInfo) OpenDir(path string) (*Directory, error) {
 //
 //	int ceph_closedir(struct ceph_mount_info *cmount, struct ceph_dir_result *dirp);
 func (dir *Directory) Close() error {
-	if dir.dir == nil {
-		return nil
-	}
-	if err := getError(C.ceph_closedir(dir.mount.mount, dir.dir)); err != nil {
-		return err
-	}
-	dir.dir = nil
-	return nil
+	return getError(C.ceph_closedir(dir.mount.mount, dir.dir))
 }
 
 // Inode represents an inode number in the file system.
@@ -148,9 +141,6 @@ func toDirEntryPlus(de *C.struct_dirent, s C.struct_ceph_statx) *DirEntryPlus {
 //
 //	int ceph_readdir_r(struct ceph_mount_info *cmount, struct ceph_dir_result *dirp, struct dirent *de);
 func (dir *Directory) ReadDir() (*DirEntry, error) {
-	if dir.dir == nil {
-		return nil, errBadFile
-	}
 	var de C.struct_dirent
 	ret := C.ceph_readdir_r(dir.mount.mount, dir.dir, &de)
 	if ret < 0 {
@@ -175,9 +165,6 @@ func (dir *Directory) ReadDir() (*DirEntry, error) {
 func (dir *Directory) ReadDirPlus(
 	want StatxMask, flags AtFlags) (*DirEntryPlus, error) {
 
-	if dir.dir == nil {
-		return nil, errBadFile
-	}
 	var (
 		de C.struct_dirent
 		s  C.struct_ceph_statx
@@ -206,9 +193,6 @@ func (dir *Directory) ReadDirPlus(
 //
 //	void ceph_rewinddir(struct ceph_mount_info *cmount, struct ceph_dir_result *dirp);
 func (dir *Directory) RewindDir() {
-	if dir.dir == nil {
-		return
-	}
 	C.ceph_rewinddir(dir.mount.mount, dir.dir)
 }
 

vendor/github.com/ceph/go-ceph/cephfs/errors.go

@@ -46,6 +46,4 @@ var (
 	errInvalid     = getError(-C.EINVAL)
 	errNameTooLong = getError(-C.ENAMETOOLONG)
 	errRange       = getError(-C.ERANGE)
-	errBadFile     = getError(-C.EBADF)
-	errNotDir      = getError(-C.ENOTDIR)
 )

vendor/github.com/ceph/go-ceph/cephfs/file.go

@@ -101,9 +101,6 @@ func (f *File) read(buf []byte, offset int64) (int, error) {
 	if err := f.validate(); err != nil {
 		return 0, err
 	}
-	if len(buf) == 0 {
-		return 0, nil
-	}
 	bufptr := (*C.char)(unsafe.Pointer(&buf[0]))
 	ret := C.ceph_read(
 		f.mount.mount, f.fd, bufptr, C.int64_t(len(buf)), C.int64_t(offset))
@@ -181,9 +178,6 @@ func (f *File) write(buf []byte, offset int64) (int, error) {
 	if err := f.validate(); err != nil {
 		return 0, err
 	}
-	if len(buf) == 0 {
-		return 0, nil
-	}
 	bufptr := (*C.char)(unsafe.Pointer(&buf[0]))
 	ret := C.ceph_write(
 		f.mount.mount, f.fd, bufptr, C.int64_t(len(buf)), C.int64_t(offset))

vendor/github.com/ceph/go-ceph/cephfs/fscompat.go

@@ -1,408 +0,0 @@
-//go:build ceph_preview
-
-package cephfs
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"io/fs"
-	"os"
-	"path"
-	"strings"
-	"time"
-
-	"github.com/ceph/go-ceph/internal/log"
-)
-
-var (
-	errIsDir = errors.New("is a directory")
-)
-
-// MountWrapper provides a wrapper type that adapts a CephFS Mount into a
-// io.FS compatible type.
-type MountWrapper struct {
-	mount       *MountInfo
-	enableTrace bool
-}
-
-type fileWrapper struct {
-	parent *MountWrapper
-	file   *File
-	name   string
-}
-
-type dirWrapper struct {
-	parent    *MountWrapper
-	directory *Directory
-	name      string
-}
-
-type dentryWrapper struct {
-	parent *MountWrapper
-	de     *DirEntryPlus
-}
-
-type infoWrapper struct {
-	parent *MountWrapper
-	sx     *CephStatx
-	name   string
-}
-
-// Wrap a CephFS Mount object into a new type that is compatible with Go's io.FS
-// interface. CephFS Mounts are not compatible with io.FS directly because the
-// go-ceph library predates the addition of io.FS to Go as well as the fact that
-// go-ceph attempts to provide APIs that match the cephfs libraries first and
-// foremost.
-func Wrap(mount *MountInfo) *MountWrapper {
-	wm := &MountWrapper{mount: mount}
-	debugf(wm, "Wrap", "created")
-	return wm
-}
-
-/* MountWrapper:
-** Implements https://pkg.go.dev/io/fs#FS
-** Wraps cephfs.MountInfo
- */
-
-// SetTracing configures the MountWrapper and objects connected to it for debug
-// tracing. True enables tracing and false disables it. A debug logging
-// function must also be set using go-ceph's common.log.SetDebugf function.
-func (mw *MountWrapper) SetTracing(enable bool) {
-	mw.enableTrace = enable
-}
-
-// identify the MountWrapper object for logging purposes.
-func (mw *MountWrapper) identify() string {
-	return fmt.Sprintf("MountWrapper<%p>", mw)
-}
-
-// trace returns true if debug tracing is enabled.
-func (mw *MountWrapper) trace() bool {
-	return mw.enableTrace
-}
-
-// Open opens the named file. This may be either a regular file or a directory.
-// Directories opened with this function will return object compatible with the
-// io.ReadDirFile interface.
-func (mw *MountWrapper) Open(name string) (fs.File, error) {
-	debugf(mw, "Open", "(%v)", name)
-	// there are a bunch of patterns that fsTetster/testfs looks for that seems
-	// under-documented. They mainly seem to try and enforce "clean" paths.
-	// look for them and reject them here because ceph libs won't reject on
-	// its own
-	if strings.HasPrefix(name, "/") ||
-		strings.HasSuffix(name, "/.") ||
-		strings.Contains(name, "//") ||
-		strings.Contains(name, "/./") ||
-		strings.Contains(name, "/../") {
-		return nil, &fs.PathError{Op: "open", Path: name, Err: errInvalid}
-	}
-
-	d, err := mw.mount.OpenDir(name)
-	if err == nil {
-		debugf(mw, "Open", "(%v): dir ok", name)
-		dw := &dirWrapper{parent: mw, directory: d, name: name}
-		return dw, nil
-	}
-	if !errors.Is(err, errNotDir) {
-		debugf(mw, "Open", "(%v): dir error: %v", name, err)
-		return nil, &fs.PathError{Op: "open", Path: name, Err: err}
-	}
-
-	f, err := mw.mount.Open(name, os.O_RDONLY, 0)
-	if err == nil {
-		debugf(mw, "Open", "(%v): file ok", name)
-		fw := &fileWrapper{parent: mw, file: f, name: name}
-		return fw, nil
-	}
-	debugf(mw, "Open", "(%v): file error: %v", name, err)
-	return nil, &fs.PathError{Op: "open", Path: name, Err: err}
-}
-
-/* fileWrapper:
-** Implements https://pkg.go.dev/io/fs#FS
-** Wraps cephfs.File
- */
-
-func (fw *fileWrapper) Stat() (fs.FileInfo, error) {
-	debugf(fw, "Stat", "()")
-	sx, err := fw.file.Fstatx(StatxBasicStats, AtSymlinkNofollow)
-	if err != nil {
-		debugf(fw, "Stat", "() -> err:%v", err)
-		return nil, &fs.PathError{Op: "stat", Path: fw.name, Err: err}
-	}
-	debugf(fw, "Stat", "() ok")
-	return &infoWrapper{fw.parent, sx, path.Base(fw.name)}, nil
-}
-
-func (fw *fileWrapper) Read(b []byte) (int, error) {
-	debugf(fw, "Read", "(...)")
-	return fw.file.Read(b)
-}
-
-func (fw *fileWrapper) Close() error {
-	debugf(fw, "Close", "()")
-	return fw.file.Close()
-}
-
-func (fw *fileWrapper) identify() string {
-	return fmt.Sprintf("fileWrapper<%p>[%v]", fw, fw.name)
-}
-
-func (fw *fileWrapper) trace() bool {
-	return fw.parent.trace()
-}
-
-/* dirWrapper:
-** Implements https://pkg.go.dev/io/fs#ReadDirFile
-** Wraps cephfs.Directory
- */
-
-func (dw *dirWrapper) Stat() (fs.FileInfo, error) {
-	debugf(dw, "Stat", "()")
-	sx, err := dw.parent.mount.Statx(dw.name, StatxBasicStats, AtSymlinkNofollow)
-	if err != nil {
-		debugf(dw, "Stat", "() -> err:%v", err)
-		return nil, &fs.PathError{Op: "stat", Path: dw.name, Err: err}
-	}
-	debugf(dw, "Stat", "() ok")
-	return &infoWrapper{dw.parent, sx, path.Base(dw.name)}, nil
-}
-
-func (dw *dirWrapper) Read(_ []byte) (int, error) {
-	debugf(dw, "Read", "(...)")
-	return 0, &fs.PathError{Op: "read", Path: dw.name, Err: errIsDir}
-}
-
-func (dw *dirWrapper) ReadDir(n int) ([]fs.DirEntry, error) {
-	debugf(dw, "ReadDir", "(%v)", n)
-	if n > 0 {
-		return dw.readDirSome(n)
-	}
-	return dw.readDirAll()
-}
-
-const defaultDirReadCount = 256 // how many entries to read per loop
-
-func (dw *dirWrapper) readDirAll() ([]fs.DirEntry, error) {
-	debugf(dw, "readDirAll", "()")
-	var (
-		err     error
-		egroup  []fs.DirEntry
-		entries = make([]fs.DirEntry, 0)
-		size    = defaultDirReadCount
-	)
-	for {
-		egroup, err = dw.readDirSome(size)
-		entries = append(entries, egroup...)
-		if err == io.EOF {
-			err = nil
-			break
-		}
-		if err != nil {
-			break
-		}
-	}
-	debugf(dw, "readDirAll", "() -> len:%v, err:%v", len(entries), err)
-	return entries, err
-}
-
-func (dw *dirWrapper) readDirSome(n int) ([]fs.DirEntry, error) {
-	debugf(dw, "readDirSome", "(%v)", n)
-	var (
-		idx     int
-		err     error
-		entry   *DirEntryPlus
-		entries = make([]fs.DirEntry, n)
-	)
-	for {
-		entry, err = dw.directory.ReadDirPlus(StatxBasicStats, AtSymlinkNofollow)
-		debugf(dw, "readDirSome", "(%v): got entry:%v, err:%v", n, entry, err)
-		if err != nil || entry == nil {
-			break
-		}
-		switch entry.Name() {
-		case ".", "..":
-			continue
-		}
-		entries[idx] = &dentryWrapper{dw.parent, entry}
-		idx++
-		if idx >= n {
-			break
-		}
-	}
-	if idx == 0 {
-		debugf(dw, "readDirSome", "(%v): EOF", n)
-		return nil, io.EOF
-	}
-	debugf(dw, "readDirSome", "(%v): got entry:%v, err:%v", n, entries[:idx], err)
-	return entries[:idx], err
-}
-
-func (dw *dirWrapper) Close() error {
-	debugf(dw, "Close", "()")
-	return dw.directory.Close()
-}
-
-func (dw *dirWrapper) identify() string {
-	return fmt.Sprintf("dirWrapper<%p>[%v]", dw, dw.name)
-}
-
-func (dw *dirWrapper) trace() bool {
-	return dw.parent.trace()
-}
-
-/* dentryWrapper:
-** Implements https://pkg.go.dev/io/fs#DirEntry
-** Wraps cephfs.DirEntryPlus
- */
-
-func (dew *dentryWrapper) Name() string {
-	debugf(dew, "Name", "()")
-	return dew.de.Name()
-}
-
-func (dew *dentryWrapper) IsDir() bool {
-	v := dew.de.DType() == DTypeDir
-	debugf(dew, "IsDir", "() -> %v", v)
-	return v
-}
-
-func (dew *dentryWrapper) Type() fs.FileMode {
-	m := dew.de.Statx().Mode
-	v := cephModeToFileMode(m).Type()
-	debugf(dew, "Type", "() -> %v", v)
-	return v
-}
-
-func (dew *dentryWrapper) Info() (fs.FileInfo, error) {
-	debugf(dew, "Info", "()")
-	sx := dew.de.Statx()
-	name := dew.de.Name()
-	return &infoWrapper{dew.parent, sx, name}, nil
-}
-
-func (dew *dentryWrapper) identify() string {
-	return fmt.Sprintf("dentryWrapper<%p>[%v]", dew, dew.de.Name())
-}
-
-func (dew *dentryWrapper) trace() bool {
-	return dew.parent.trace()
-}
-
-/* infoWrapper:
-** Implements https://pkg.go.dev/io/fs#FileInfo
-** Wraps cephfs.CephStatx
- */
-
-func (iw *infoWrapper) Name() string {
-	debugf(iw, "Name", "()")
-	return iw.name
-}
-
-func (iw *infoWrapper) Size() int64 {
-	debugf(iw, "Size", "() -> %v", iw.sx.Size)
-	return int64(iw.sx.Size)
-}
-
-func (iw *infoWrapper) Sys() any {
-	debugf(iw, "Sys", "()")
-	return iw.sx
-}
-
-func (iw *infoWrapper) Mode() fs.FileMode {
-	v := cephModeToFileMode(iw.sx.Mode)
-	debugf(iw, "Mode", "() -> %#o -> %#o/%v", iw.sx.Mode, uint32(v), v.Type())
-	return v
-}
-
-func (iw *infoWrapper) IsDir() bool {
-	v := iw.sx.Mode&modeIFMT == modeIFDIR
-	debugf(iw, "IsDir", "() -> %v", v)
-	return v
-}
-
-func (iw *infoWrapper) ModTime() time.Time {
-	v := time.Unix(iw.sx.Mtime.Sec, iw.sx.Mtime.Nsec)
-	debugf(iw, "ModTime", "() -> %v", v)
-	return v
-}
-
-func (iw *infoWrapper) identify() string {
-	return fmt.Sprintf("infoWrapper<%p>[%v]", iw, iw.name)
-}
-
-func (iw *infoWrapper) trace() bool {
-	return iw.parent.trace()
-}
-
-/* copy and paste values from the linux headers. We always need to use
-** the linux header values, regardless of the platform go-ceph is built
-** for. Rather than jumping through header hoops, copy and paste is
-** more consistent and reliable.
- */
-const (
-	/* file type mask */
-	modeIFMT = uint16(0170000)
-	/* file types */
-	modeIFDIR  = uint16(0040000)
-	modeIFCHR  = uint16(0020000)
-	modeIFBLK  = uint16(0060000)
-	modeIFREG  = uint16(0100000)
-	modeIFIFO  = uint16(0010000)
-	modeIFLNK  = uint16(0120000)
-	modeIFSOCK = uint16(0140000)
-	/* protection bits */
-	modeISUID = uint16(0004000)
-	modeISGID = uint16(0002000)
-	modeISVTX = uint16(0001000)
-)
-
-// cephModeToFileMode takes a linux compatible cephfs mode value
-// and returns a Go-compatiable os-agnostic FileMode value.
-func cephModeToFileMode(m uint16) fs.FileMode {
-	// start with permission bits
-	mode := fs.FileMode(m & 0777)
-	// file type - inspired by go's src/os/stat_linux.go
-	switch m & modeIFMT {
-	case modeIFBLK:
-		mode |= fs.ModeDevice
-	case modeIFCHR:
-		mode |= fs.ModeDevice | fs.ModeCharDevice
-	case modeIFDIR:
-		mode |= fs.ModeDir
-	case modeIFIFO:
-		mode |= fs.ModeNamedPipe
-	case modeIFLNK:
-		mode |= fs.ModeSymlink
-	case modeIFREG:
-		// nothing to do
-	case modeIFSOCK:
-		mode |= fs.ModeSocket
-	}
-	// protection bits
-	if m&modeISUID != 0 {
-		mode |= fs.ModeSetuid
-	}
-	if m&modeISGID != 0 {
-		mode |= fs.ModeSetgid
-	}
-	if m&modeISVTX != 0 {
-		mode |= fs.ModeSticky
-	}
-	return mode
-}
-
-// wrapperObject helps identify an object to be logged.
-type wrapperObject interface {
-	identify() string
-	trace() bool
-}
-
-// debugf formats info about a function and logs it.
-func debugf(o wrapperObject, fname, format string, args ...any) {
-	if o.trace() {
-		log.Debugf(fmt.Sprintf("%v.%v: %s", o.identify(), fname, format), args...)
-	}
-}

vendor/github.com/ceph/go-ceph/rados/rados_getaddrs.go

@@ -1,3 +1,5 @@
+//go:build ceph_preview
+
 package rados
 
 // #cgo LDFLAGS: -lrados

vendor/github.com/go-asn1-ber/asn1-ber/ber.go

@@ -412,7 +412,7 @@ func readPacket(reader io.Reader) (*Packet, int, error) {
 				p.Value = val
 			}
 		case TagRelativeOID:
-			oid, err := parseRelativeObjectIdentifier(content)
+			oid, err := parseObjectIdentifier(content)
 			if err == nil {
 				p.Value = OIDToString(oid)
 			}
@@ -560,14 +560,16 @@ func NewBoolean(classType Class, tagType Type, tag Tag, value bool, description
 
 // NewLDAPBoolean returns a RFC 4511-compliant Boolean packet.
 func NewLDAPBoolean(classType Class, tagType Type, tag Tag, value bool, description string) *Packet {
+	intValue := int64(0)
+
+	if value {
+		intValue = 255
+	}
+
 	p := Encode(classType, tagType, tag, nil, description)
 
 	p.Value = value
-	if value {
-		p.Data.Write([]byte{255})
-	} else {
-		p.Data.Write([]byte{0})
-	}
+	p.Data.Write(encodeInteger(intValue))
 
 	return p
 }
@@ -661,25 +663,6 @@ func NewOID(classType Class, tagType Type, tag Tag, value interface{}, descripti
 	return p
 }
 
-func NewRelativeOID(classType Class, tagType Type, tag Tag, value interface{}, description string) *Packet {
-	p := Encode(classType, tagType, tag, nil, description)
-
-	switch v := value.(type) {
-	case string:
-		encoded, err := encodeRelativeOID(v)
-		if err != nil {
-			fmt.Printf("failed writing %v", err)
-			return nil
-		}
-		p.Value = v
-		p.Data.Write(encoded)
-		// TODO: support []int already ?
-	default:
-		panic(fmt.Sprintf("Invalid type %T, expected float{64|32}", v))
-	}
-	return p
-}
-
 // encodeOID takes a string representation of an OID and returns its DER-encoded byte slice along with any error.
 func encodeOID(oidString string) ([]byte, error) {
 	// Convert the string representation to an asn1.ObjectIdentifier
@@ -705,26 +688,6 @@ func encodeOID(oidString string) ([]byte, error) {
 	return encoded, nil
 }
 
-func encodeRelativeOID(oidString string) ([]byte, error) {
-	parts := strings.Split(oidString, ".")
-	oid := make([]int, len(parts))
-	for i, part := range parts {
-		var val int
-		if _, err := fmt.Sscanf(part, "%d", &val); err != nil {
-			return nil, fmt.Errorf("invalid RELATIVE OID part '%s': %w", part, err)
-		}
-		oid[i] = val
-	}
-
-	encoded := make([]byte, 0)
-
-	for i := 0; i < len(oid); i++ {
-		encoded = appendBase128Int(encoded, int64(oid[i]))
-	}
-
-	return encoded, nil
-}
-
 func appendBase128Int(dst []byte, n int64) []byte {
 	l := base128IntLength(n)
 
@@ -809,27 +772,6 @@ func parseObjectIdentifier(bytes []byte) (s []int, err error) {
 	return
 }
 
-func parseRelativeObjectIdentifier(bytes []byte) (s []int, err error) {
-	if len(bytes) == 0 {
-		err = fmt.Errorf("zero length RELATIVE OBJECT IDENTIFIER")
-		return
-	}
-
-	s = make([]int, len(bytes)+1)
-
-	var v, offset int
-	i := 0
-	for ; offset < len(bytes); i++ {
-		v, offset, err = parseBase128Int(bytes, offset)
-		if err != nil {
-			return
-		}
-		s[i] = v
-	}
-	s = s[0:i]
-	return
-}
-
 // parseBase128Int parses a base-128 encoded int from the given offset in the
 // given byte slice. It returns the value and the new offset.
 func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) {

vendor/github.com/go-ldap/ldap/v3/bind.go

@@ -3,19 +3,15 @@ package ldap
 import (
 	"bytes"
 	"crypto/md5"
-	"encoding/binary"
-	"encoding/hex"
 	enchex "encoding/hex"
 	"errors"
 	"fmt"
 	"io/ioutil"
 	"math/rand"
 	"strings"
-	"unicode/utf16"
 
 	"github.com/Azure/go-ntlmssp"
 	ber "github.com/go-asn1-ber/asn1-ber"
-	"golang.org/x/crypto/md4" //nolint:staticcheck
 )
 
 // SimpleBindRequest represents a username/password bind operation
@@ -220,7 +216,7 @@ func (l *Conn) DigestMD5Bind(digestMD5BindRequest *DigestMD5BindRequest) (*Diges
 		}
 	}
 
-	if len(params) > 0 {
+	if params != nil {
 		resp := computeResponse(
 			params,
 			"ldap/"+strings.ToLower(digestMD5BindRequest.Host),
@@ -253,34 +249,6 @@ func (l *Conn) DigestMD5Bind(digestMD5BindRequest *DigestMD5BindRequest) (*Diges
 		if err != nil {
 			return nil, fmt.Errorf("read packet: %s", err)
 		}
-
-		if len(packet.Children) == 2 {
-			response := packet.Children[1]
-			if response == nil {
-				return result, GetLDAPError(packet)
-			}
-			if response.ClassType == ber.ClassApplication && response.TagType == ber.TypeConstructed && len(response.Children) >= 3 {
-				if ber.Type(response.Children[0].Tag) == ber.Type(ber.TagInteger) || ber.Type(response.Children[0].Tag) == ber.Type(ber.TagEnumerated) {
-					resultCode := uint16(response.Children[0].Value.(int64))
-					if resultCode == 14 {
-						msgCtx, err := l.doRequest(digestMD5BindRequest)
-						if err != nil {
-							return nil, err
-						}
-						defer l.finishMessage(msgCtx)
-						packetResponse, ok := <-msgCtx.responses
-						if !ok {
-							return nil, NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
-						}
-						packet, err = packetResponse.ReadPacket()
-						l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
-						if err != nil {
-							return nil, fmt.Errorf("read packet: %s", err)
-						}
-					}
-				}
-			}
-		}
 	}
 
 	err = GetLDAPError(packet)
@@ -438,36 +406,17 @@ type NTLMBindRequest struct {
 	Hash string
 	// Controls are optional controls to send with the bind request
 	Controls []Control
-	// Negotiator allows to specify a custom NTLM negotiator.
-	Negotiator NTLMNegotiator
 }
 
-// NTLMNegotiator is an abstraction of an NTLM implementation that produces and
-// processes NTLM binary tokens.
-type NTLMNegotiator interface {
-	Negotiate(domain string, workstation string) ([]byte, error)
-	ChallengeResponse(challenge []byte, username string, hash string) ([]byte, error)
-}
-
-func (req *NTLMBindRequest) appendTo(envelope *ber.Packet) (err error) {
+func (req *NTLMBindRequest) appendTo(envelope *ber.Packet) error {
 	request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
 	request.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
 	request.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, "", "User Name"))
 
-	var negMessage []byte
-
 	// generate an NTLMSSP Negotiation message for the  specified domain (it can be blank)
-	switch {
-	case req.Negotiator == nil:
-		negMessage, err = ntlmssp.NewNegotiateMessage(req.Domain, "")
-		if err != nil {
-			return fmt.Errorf("create NTLM negotiate message: %s", err)
-		}
-	default:
-		negMessage, err = req.Negotiator.Negotiate(req.Domain, "")
-		if err != nil {
-			return fmt.Errorf("create NTLM negotiate message with custom negotiator: %s", err)
-		}
+	negMessage, err := ntlmssp.NewNegotiateMessage(req.Domain, "")
+	if err != nil {
+		return fmt.Errorf("err creating negmessage: %s", err)
 	}
 
 	// append the generated NTLMSSP message as a TagEnumerated BER value
@@ -565,29 +514,18 @@ func (l *Conn) NTLMChallengeBind(ntlmBindRequest *NTLMBindRequest) (*NTLMBindRes
 	if ntlmsspChallenge != nil {
 		var err error
 		var responseMessage []byte
-
-		switch {
-		case ntlmBindRequest.Hash == "" && ntlmBindRequest.Password == "" && !ntlmBindRequest.AllowEmptyPassword:
-			err = fmt.Errorf("need a password or hash to generate reply")
-		case ntlmBindRequest.Negotiator == nil && ntlmBindRequest.Hash != "":
+		// generate a response message to the challenge with the given Username/Password if password is provided
+		if ntlmBindRequest.Hash != "" {
 			responseMessage, err = ntlmssp.ProcessChallengeWithHash(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Hash)
-		case ntlmBindRequest.Negotiator == nil && (ntlmBindRequest.Password != "" || ntlmBindRequest.AllowEmptyPassword):
-			// generate a response message to the challenge with the given Username/Password if password is provided
+		} else if ntlmBindRequest.Password != "" || ntlmBindRequest.AllowEmptyPassword {
 			_, _, domainNeeded := ntlmssp.GetDomain(ntlmBindRequest.Username)
 			responseMessage, err = ntlmssp.ProcessChallenge(ntlmsspChallenge, ntlmBindRequest.Username, ntlmBindRequest.Password, domainNeeded)
-		default:
-			hash := ntlmBindRequest.Hash
-			if len(hash) == 0 {
-				hash = ntHash(ntlmBindRequest.Password)
-			}
-
-			responseMessage, err = ntlmBindRequest.Negotiator.ChallengeResponse(ntlmsspChallenge, ntlmBindRequest.Username, hash)
+		} else {
+			err = fmt.Errorf("need a password or hash to generate reply")
 		}
-
 		if err != nil {
-			return result, fmt.Errorf("process NTLM challenge: %s", err)
+			return result, fmt.Errorf("parsing ntlm-challenge: %s", err)
 		}
-
 		packet = ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
 		packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
 
@@ -621,18 +559,6 @@ func (l *Conn) NTLMChallengeBind(ntlmBindRequest *NTLMBindRequest) (*NTLMBindRes
 	return result, err
 }
 
-func ntHash(pass string) string {
-	runes := utf16.Encode([]rune(pass))
-
-	b := bytes.Buffer{}
-	_ = binary.Write(&b, binary.LittleEndian, &runes)
-
-	hash := md4.New()
-	_, _ = hash.Write(b.Bytes())
-
-	return hex.EncodeToString(hash.Sum(nil))
-}
-
 // GSSAPIClient interface is used as the client-side implementation for the
 // GSSAPI SASL mechanism.
 // Interface inspired by GSSAPIClient from golang.org/x/crypto/ssh
@@ -651,9 +577,6 @@ type GSSAPIClient interface {
 	// to InitSecContext via the token parameters.
 	// See RFC 4752 section 3.1.
 	InitSecContext(target string, token []byte) (outputToken []byte, needContinue bool, err error)
-	// InitSecContextWithOptions is the same as InitSecContext but allows for additional options to be passed to the context establishment.
-	// See RFC 4752 section 3.1.
-	InitSecContextWithOptions(target string, token []byte, options []int) (outputToken []byte, needContinue bool, err error)
 	// NegotiateSaslAuth performs the last step of the Sasl handshake.
 	// It takes a token, which, when unwrapped, describes the servers supported
 	// security layers (first octet) and maximum receive buffer (remaining
@@ -691,11 +614,6 @@ func (l *Conn) GSSAPIBind(client GSSAPIClient, servicePrincipal, authzid string)
 
 // GSSAPIBindRequest performs the GSSAPI SASL bind using the provided GSSAPI client.
 func (l *Conn) GSSAPIBindRequest(client GSSAPIClient, req *GSSAPIBindRequest) error {
-	return l.GSSAPIBindRequestWithAPOptions(client, req, []int{})
-}
-
-// GSSAPIBindRequest performs the GSSAPI SASL bind using the provided GSSAPI client.
-func (l *Conn) GSSAPIBindRequestWithAPOptions(client GSSAPIClient, req *GSSAPIBindRequest, APOptions []int) error {
 	//nolint:errcheck
 	defer client.DeleteSecContext()
 
@@ -706,7 +624,7 @@ func (l *Conn) GSSAPIBindRequestWithAPOptions(client GSSAPIClient, req *GSSAPIBi
 	for {
 		if needInit {
 			// Establish secure context between client and server.
-			reqToken, needInit, err = client.InitSecContextWithOptions(req.ServicePrincipalName, recvToken, APOptions)
+			reqToken, needInit, err = client.InitSecContext(req.ServicePrincipalName, recvToken)
 			if err != nil {
 				return err
 			}

vendor/github.com/go-ldap/ldap/v3/control.go

@@ -709,7 +709,7 @@ func (c *ControlDirSync) Encode() *ber.Packet {
 
 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Control")
 	packet.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, ControlTypeDirSync, "Control Type ("+ControlTypeMap[ControlTypeDirSync]+")"))
-	packet.AppendChild(ber.NewLDAPBoolean(ber.ClassUniversal, ber.TypePrimitive, ber.TagBoolean, c.Criticality, "Criticality")) // must be true always
+	packet.AppendChild(ber.NewBoolean(ber.ClassUniversal, ber.TypePrimitive, ber.TagBoolean, c.Criticality, "Criticality")) // must be true always
 
 	val := ber.Encode(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, nil, "Control Value (DirSync)")
 	seq := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "DirSync Control Value")
@@ -755,7 +755,7 @@ func NewControlServerSideSorting(value *ber.Packet) (*ControlServerSideSorting,
 	sequences := val[0].Children
 
 	for i, sequence := range sequences {
-		sortKey := new(SortKey)
+		sortKey := &SortKey{}
 
 		if len(sequence.Children) < 2 {
 			return nil, fmt.Errorf("attributeType or matchingRule is missing from sequence %d", i)
@@ -864,14 +864,10 @@ func (c ControlServerSideSortingCode) Valid() error {
 }
 
 func NewControlServerSideSortingResult(pkt *ber.Packet) (*ControlServerSideSortingResult, error) {
-	control := new(ControlServerSideSortingResult)
+	control := &ControlServerSideSortingResult{}
 
 	if pkt == nil || len(pkt.Children) == 0 {
-		// This is currently not compliant with the ServerSideSorting RFC (see https://datatracker.ietf.org/doc/html/rfc2891#section-1.2).
-		// but it's necessary because there seems to be a bug in the implementation of the popular OpenLDAP server.
-		//
-		// See: https://github.com/go-ldap/ldap/pull/546
-		return control, nil
+		return nil, fmt.Errorf("bad packet")
 	}
 
 	codeInt, err := ber.ParseInt64(pkt.Children[0].Data.Bytes())
@@ -879,7 +875,8 @@ func NewControlServerSideSortingResult(pkt *ber.Packet) (*ControlServerSideSorti
 		return nil, err
 	}
 
-	if err = ControlServerSideSortingCode(codeInt).Valid(); err != nil {
+	code := ControlServerSideSortingCode(codeInt)
+	if err := code.Valid(); err != nil {
 		return nil, err
 	}
 

vendor/github.com/go-sql-driver/mysql/CHANGELOG.md

@@ -1,10 +1,5 @@
 # Changelog
 
-## v1.9.2 (2025-04-07)
-
-v1.9.2 is a re-release of v1.9.1 due to a release process issue; no changes were made to the content.
-
-
 ## v1.9.1 (2025-03-21)
 
 ### Major Changes

vendor/github.com/jonboulle/clockwork/README.md

@@ -2,9 +2,9 @@
 
 [![Mentioned in Awesome Go](https://awesome.re/mentioned-badge-flat.svg)](https://github.com/avelino/awesome-go#utilities)
 
-[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/jonboulle/clockwork/ci.yaml?style=flat-square)](https://github.com/jonboulle/clockwork/actions?query=workflow%3ACI)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/jonboulle/clockwork/CI?style=flat-square)](https://github.com/jonboulle/clockwork/actions?query=workflow%3ACI)
 [![Go Report Card](https://goreportcard.com/badge/github.com/jonboulle/clockwork?style=flat-square)](https://goreportcard.com/report/github.com/jonboulle/clockwork)
-![Go Version](https://img.shields.io/badge/go%20version-%3E=1.15-61CFDD.svg?style=flat-square)
+![Go Version](https://img.shields.io/badge/go%20version-%3E=1.11-61CFDD.svg?style=flat-square)
 [![go.dev reference](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/mod/github.com/jonboulle/clockwork)
 
 **A simple fake clock for Go.**
@@ -36,7 +36,6 @@ Now you can easily test `myFunc` with a `FakeClock`:
 
 ```go
 func TestMyFunc(t *testing.T) {
-	ctx := context.Background()
 	c := clockwork.NewFakeClock()
 
 	// Start our sleepy function
@@ -47,12 +46,8 @@ func TestMyFunc(t *testing.T) {
 		wg.Done()
 	}()
 
-	// Ensure we wait until myFunc is waiting on the clock.
-	// Use a context to avoid blocking forever if something
-	// goes wrong.
-	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-	c.BlockUntilContext(ctx, 1)
+	// Ensure we wait until myFunc is sleeping
+	c.BlockUntil(1)
 
 	assertState()
 

vendor/github.com/jonboulle/clockwork/SECURITY.md

@@ -1,19 +0,0 @@
-# Security Policy
-
-If you have discovered a security vulnerability in this project, please report it
-privately. **Do not disclose it as a public issue.** This gives me time to work with you
-to fix the issue before public exposure, reducing the chance that the exploit will be
-used before a patch is released.
-
-You may submit the report in the following ways:
-
-- send an email to ???@???; and/or
-- send a [private vulnerability report](https://github.com/jonboulle/clockwork/security/advisories/new)
-
-Please provide the following information in your report:
-
-- A description of the vulnerability and its impact
-- How to reproduce the issue
-
-This project is maintained by a single maintainer on a reasonable-effort basis. As such,
-please give me 90 days to work on a fix before public exposure.

vendor/github.com/jonboulle/clockwork/clockwork.go

@@ -1,25 +1,30 @@
-// Package clockwork contains a simple fake clock for Go.
 package clockwork
 
 import (
-	"context"
-	"errors"
-	"slices"
 	"sync"
 	"time"
 )
 
-// Clock provides an interface that packages can use instead of directly using
-// the [time] module, so that chronology-related behavior can be tested.
+// Clock provides an interface that packages can use instead of directly
+// using the time module, so that chronology-related behavior can be tested
 type Clock interface {
 	After(d time.Duration) <-chan time.Time
 	Sleep(d time.Duration)
 	Now() time.Time
 	Since(t time.Time) time.Duration
-	Until(t time.Time) time.Duration
 	NewTicker(d time.Duration) Ticker
-	NewTimer(d time.Duration) Timer
-	AfterFunc(d time.Duration, f func()) Timer
+}
+
+// FakeClock provides an interface for a clock which can be
+// manually advanced through time
+type FakeClock interface {
+	Clock
+	// Advance advances the FakeClock to a new point in time, ensuring any existing
+	// sleepers are notified appropriately before returning
+	Advance(d time.Duration)
+	// BlockUntil will block until the FakeClock has the given number of
+	// sleepers (callers of Sleep or After)
+	BlockUntil(n int)
 }
 
 // NewRealClock returns a Clock which simply delegates calls to the actual time
@@ -28,6 +33,21 @@ func NewRealClock() Clock {
 	return &realClock{}
 }
 
+// NewFakeClock returns a FakeClock implementation which can be
+// manually advanced through time for testing. The initial time of the
+// FakeClock will be an arbitrary non-zero time.
+func NewFakeClock() FakeClock {
+	// use a fixture that does not fulfill Time.IsZero()
+	return NewFakeClockAt(time.Date(1984, time.April, 4, 0, 0, 0, 0, time.UTC))
+}
+
+// NewFakeClockAt returns a FakeClock initialised at the given time.Time.
+func NewFakeClockAt(t time.Time) FakeClock {
+	return &fakeClock{
+		time: t,
+	}
+}
+
 type realClock struct{}
 
 func (rc *realClock) After(d time.Duration) <-chan time.Time {
@@ -46,274 +66,130 @@ func (rc *realClock) Since(t time.Time) time.Duration {
 	return rc.Now().Sub(t)
 }
 
-func (rc *realClock) Until(t time.Time) time.Duration {
-	return t.Sub(rc.Now())
-}
-
 func (rc *realClock) NewTicker(d time.Duration) Ticker {
-	return realTicker{time.NewTicker(d)}
+	return &realTicker{time.NewTicker(d)}
 }
 
-func (rc *realClock) NewTimer(d time.Duration) Timer {
-	return realTimer{time.NewTimer(d)}
-}
-
-func (rc *realClock) AfterFunc(d time.Duration, f func()) Timer {
-	return realTimer{time.AfterFunc(d, f)}
-}
-
-// FakeClock provides an interface for a clock which can be manually advanced
-// through time.
-//
-// FakeClock maintains a list of "waiters," which consists of all callers
-// waiting on the underlying clock (i.e. Tickers and Timers including callers of
-// Sleep or After). Users can call BlockUntil to block until the clock has an
-// expected number of waiters.
-type FakeClock struct {
-	// l protects all attributes of the clock, including all attributes of all
-	// waiters and blockers.
-	l        sync.RWMutex
-	waiters  []expirer
+type fakeClock struct {
+	sleepers []*sleeper
 	blockers []*blocker
 	time     time.Time
+
+	l sync.RWMutex
 }
 
-// NewFakeClock returns a FakeClock implementation which can be
-// manually advanced through time for testing. The initial time of the
-// FakeClock will be the current system time.
-//
-// Tests that require a deterministic time must use NewFakeClockAt.
-func NewFakeClock() *FakeClock {
-	return NewFakeClockAt(time.Now())
+// sleeper represents a caller of After or Sleep
+type sleeper struct {
+	until time.Time
+	done  chan time.Time
 }
 
-// NewFakeClockAt returns a FakeClock initialised at the given time.Time.
-func NewFakeClockAt(t time.Time) *FakeClock {
-	return &FakeClock{
-		time: t,
-	}
-}
-
-// blocker is a caller of BlockUntil.
+// blocker represents a caller of BlockUntil
 type blocker struct {
 	count int
-
-	// ch is closed when the underlying clock has the specified number of blockers.
-	ch chan struct{}
+	ch    chan struct{}
 }
 
-// expirer is a timer or ticker that expires at some point in the future.
-type expirer interface {
-	// expire the expirer at the given time, returning the desired duration until
-	// the next expiration, if any.
-	expire(now time.Time) (next *time.Duration)
-
-	// Get and set the expiration time.
-	expiration() time.Time
-	setExpiration(time.Time)
-}
-
-// After mimics [time.After]; it waits for the given duration to elapse on the
+// After mimics time.After; it waits for the given duration to elapse on the
 // fakeClock, then sends the current time on the returned channel.
-func (fc *FakeClock) After(d time.Duration) <-chan time.Time {
-	return fc.NewTimer(d).Chan()
+func (fc *fakeClock) After(d time.Duration) <-chan time.Time {
+	fc.l.Lock()
+	defer fc.l.Unlock()
+	now := fc.time
+	done := make(chan time.Time, 1)
+	if d.Nanoseconds() <= 0 {
+		// special case - trigger immediately
+		done <- now
+	} else {
+		// otherwise, add to the set of sleepers
+		s := &sleeper{
+			until: now.Add(d),
+			done:  done,
+		}
+		fc.sleepers = append(fc.sleepers, s)
+		// and notify any blockers
+		fc.blockers = notifyBlockers(fc.blockers, len(fc.sleepers))
+	}
+	return done
 }
 
-// Sleep blocks until the given duration has passed on the fakeClock.
-func (fc *FakeClock) Sleep(d time.Duration) {
+// notifyBlockers notifies all the blockers waiting until the
+// given number of sleepers are waiting on the fakeClock. It
+// returns an updated slice of blockers (i.e. those still waiting)
+func notifyBlockers(blockers []*blocker, count int) (newBlockers []*blocker) {
+	for _, b := range blockers {
+		if b.count == count {
+			close(b.ch)
+		} else {
+			newBlockers = append(newBlockers, b)
+		}
+	}
+	return
+}
+
+// Sleep blocks until the given duration has passed on the fakeClock
+func (fc *fakeClock) Sleep(d time.Duration) {
 	<-fc.After(d)
 }
 
-// Now returns the current time of the fakeClock
-func (fc *FakeClock) Now() time.Time {
+// Time returns the current time of the fakeClock
+func (fc *fakeClock) Now() time.Time {
 	fc.l.RLock()
-	defer fc.l.RUnlock()
-	return fc.time
+	t := fc.time
+	fc.l.RUnlock()
+	return t
 }
 
-// Since returns the duration that has passed since the given time on the
-// fakeClock.
-func (fc *FakeClock) Since(t time.Time) time.Duration {
+// Since returns the duration that has passed since the given time on the fakeClock
+func (fc *fakeClock) Since(t time.Time) time.Duration {
 	return fc.Now().Sub(t)
 }
 
-// Until returns the duration that has to pass from the given time on the fakeClock
-// to reach the given time.
-func (fc *FakeClock) Until(t time.Time) time.Duration {
-	return t.Sub(fc.Now())
-}
-
-// NewTicker returns a Ticker that will expire only after calls to
-// FakeClock.Advance() have moved the clock past the given duration.
-//
-// The duration d must be greater than zero; if not, NewTicker will panic.
-func (fc *FakeClock) NewTicker(d time.Duration) Ticker {
-	// Maintain parity with
-	// https://cs.opensource.google/go/go/+/refs/tags/go1.20.3:src/time/tick.go;l=23-25
-	if d <= 0 {
-		panic(errors.New("non-positive interval for NewTicker"))
+func (fc *fakeClock) NewTicker(d time.Duration) Ticker {
+	ft := &fakeTicker{
+		c:      make(chan time.Time, 1),
+		stop:   make(chan bool, 1),
+		clock:  fc,
+		period: d,
 	}
-	ft := newFakeTicker(fc, d)
-	fc.l.Lock()
-	defer fc.l.Unlock()
-	fc.setExpirer(ft, d)
+	ft.runTickThread()
 	return ft
 }
 
-// NewTimer returns a Timer that will fire only after calls to
-// fakeClock.Advance() have moved the clock past the given duration.
-func (fc *FakeClock) NewTimer(d time.Duration) Timer {
-	t, _ := fc.newTimer(d, nil)
-	return t
-}
-
-// AfterFunc mimics [time.AfterFunc]; it returns a Timer that will invoke the
-// given function only after calls to fakeClock.Advance() have moved the clock
-// past the given duration.
-func (fc *FakeClock) AfterFunc(d time.Duration, f func()) Timer {
-	t, _ := fc.newTimer(d, f)
-	return t
-}
-
-// newTimer returns a new timer using an optional afterFunc and the time that
-// timer expires.
-func (fc *FakeClock) newTimer(d time.Duration, afterfunc func()) (*fakeTimer, time.Time) {
-	ft := newFakeTimer(fc, afterfunc)
-	fc.l.Lock()
-	defer fc.l.Unlock()
-	fc.setExpirer(ft, d)
-	return ft, ft.expiration()
-}
-
-// newTimerAtTime is like newTimer, but uses a time instead of a duration.
-//
-// It is used to ensure FakeClock's lock is held constant through calling
-// fc.After(t.Sub(fc.Now())). It should not be exposed externally.
-func (fc *FakeClock) newTimerAtTime(t time.Time, afterfunc func()) *fakeTimer {
-	ft := newFakeTimer(fc, afterfunc)
-	fc.l.Lock()
-	defer fc.l.Unlock()
-	fc.setExpirer(ft, t.Sub(fc.time))
-	return ft
-}
-
-// Advance advances fakeClock to a new point in time, ensuring waiters and
-// blockers are notified appropriately before returning.
-func (fc *FakeClock) Advance(d time.Duration) {
+// Advance advances fakeClock to a new point in time, ensuring channels from any
+// previous invocations of After are notified appropriately before returning
+func (fc *fakeClock) Advance(d time.Duration) {
 	fc.l.Lock()
 	defer fc.l.Unlock()
 	end := fc.time.Add(d)
-	// Expire the earliest waiter until the earliest waiter's expiration is after
-	// end.
-	//
-	// We don't iterate because the callback of the waiter might register a new
-	// waiter, so the list of waiters might change as we execute this.
-	for len(fc.waiters) > 0 && !end.Before(fc.waiters[0].expiration()) {
-		w := fc.waiters[0]
-		fc.waiters = fc.waiters[1:]
-
-		// Use the waiter's expiration as the current time for this expiration.
-		now := w.expiration()
-		fc.time = now
-		if d := w.expire(now); d != nil {
-			// Set the new expiration if needed.
-			fc.setExpirer(w, *d)
+	var newSleepers []*sleeper
+	for _, s := range fc.sleepers {
+		if end.Sub(s.until) >= 0 {
+			s.done <- end
+		} else {
+			newSleepers = append(newSleepers, s)
 		}
 	}
+	fc.sleepers = newSleepers
+	fc.blockers = notifyBlockers(fc.blockers, len(fc.sleepers))
 	fc.time = end
 }
 
-// BlockUntil blocks until the FakeClock has the given number of waiters.
-//
-// Prefer BlockUntilContext in new code, which offers context cancellation to
-// prevent deadlock.
-//
-// Deprecated: New code should prefer BlockUntilContext.
-func (fc *FakeClock) BlockUntil(n int) {
-	fc.BlockUntilContext(context.TODO(), n)
-}
-
-// BlockUntilContext blocks until the fakeClock has the given number of waiters
-// or the context is cancelled.
-func (fc *FakeClock) BlockUntilContext(ctx context.Context, n int) error {
-	b := fc.newBlocker(n)
-	if b == nil {
-		return nil
-	}
-
-	select {
-	case <-b.ch:
-		return nil
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-}
-
-func (fc *FakeClock) newBlocker(n int) *blocker {
+// BlockUntil will block until the fakeClock has the given number of sleepers
+// (callers of Sleep or After)
+func (fc *fakeClock) BlockUntil(n int) {
 	fc.l.Lock()
-	defer fc.l.Unlock()
-	// Fast path: we already have >= n waiters.
-	if len(fc.waiters) >= n {
-		return nil
+	// Fast path: current number of sleepers is what we're looking for
+	if len(fc.sleepers) == n {
+		fc.l.Unlock()
+		return
 	}
-	// Set up a new blocker to wait for more waiters.
+	// Otherwise, set up a new blocker
 	b := &blocker{
 		count: n,
 		ch:    make(chan struct{}),
 	}
 	fc.blockers = append(fc.blockers, b)
-	return b
-}
-
-// stop stops an expirer, returning true if the expirer was stopped.
-func (fc *FakeClock) stop(e expirer) bool {
-	fc.l.Lock()
-	defer fc.l.Unlock()
-	return fc.stopExpirer(e)
-}
-
-// stopExpirer stops an expirer, returning true if the expirer was stopped.
-//
-// The caller must hold fc.l.
-func (fc *FakeClock) stopExpirer(e expirer) bool {
-	idx := slices.Index(fc.waiters, e)
-	if idx == -1 {
-		return false
-	}
-	// Remove element, maintaining order, setting inaccessible elements to nil so
-	// they can be garbage collected.
-	copy(fc.waiters[idx:], fc.waiters[idx+1:])
-	fc.waiters[len(fc.waiters)-1] = nil
-	fc.waiters = fc.waiters[:len(fc.waiters)-1]
-	return true
-}
-
-// setExpirer sets an expirer to expire at a future point in time.
-//
-// The caller must hold fc.l.
-func (fc *FakeClock) setExpirer(e expirer, d time.Duration) {
-	if d.Nanoseconds() <= 0 {
-		// Special case for timers with duration <= 0: trigger immediately, never
-		// reset.
-		//
-		// Tickers never get here, they panic if d is < 0.
-		e.expire(fc.time)
-		return
-	}
-	// Add the expirer to the set of waiters and notify any blockers.
-	e.setExpiration(fc.time.Add(d))
-	fc.waiters = append(fc.waiters, e)
-	slices.SortFunc(fc.waiters, func(a, b expirer) int {
-		return a.expiration().Compare(b.expiration())
-	})
-
-	// Notify blockers of our new waiter.
-	count := len(fc.waiters)
-	fc.blockers = slices.DeleteFunc(fc.blockers, func(b *blocker) bool {
-		if b.count <= count {
-			close(b.ch)
-			return true
-		}
-		return false
-	})
+	fc.l.Unlock()
+	<-b.ch
 }

vendor/github.com/jonboulle/clockwork/context.go

@@ -1,169 +0,0 @@
-package clockwork
-
-import (
-	"context"
-	"fmt"
-	"sync"
-	"time"
-)
-
-// contextKey is private to this package so we can ensure uniqueness here. This
-// type identifies context values provided by this package.
-type contextKey string
-
-// keyClock provides a clock for injecting during tests. If absent, a real clock
-// should be used.
-var keyClock = contextKey("clock") // clockwork.Clock
-
-// AddToContext creates a derived context that references the specified clock.
-//
-// Be aware this doesn't change the behavior of standard library functions, such
-// as [context.WithTimeout] or [context.WithDeadline]. For this reason, users
-// should prefer passing explicit [clockwork.Clock] variables rather can passing
-// the clock via the context.
-func AddToContext(ctx context.Context, clock Clock) context.Context {
-	return context.WithValue(ctx, keyClock, clock)
-}
-
-// FromContext extracts a clock from the context. If not present, a real clock
-// is returned.
-func FromContext(ctx context.Context) Clock {
-	if clock, ok := ctx.Value(keyClock).(Clock); ok {
-		return clock
-	}
-	return NewRealClock()
-}
-
-// ErrFakeClockDeadlineExceeded is the error returned by [context.Context] when
-// the deadline passes on a context which uses a [FakeClock].
-//
-// It wraps a [context.DeadlineExceeded] error, i.e.:
-//
-//	// The following is true for any Context whose deadline has been exceeded,
-//	// including contexts made with clockwork.WithDeadline or clockwork.WithTimeout.
-//
-//	errors.Is(ctx.Err(), context.DeadlineExceeded)
-//
-//	// The following can only be true for contexts made
-//	// with clockwork.WithDeadline or clockwork.WithTimeout.
-//
-//	errors.Is(ctx.Err(), clockwork.ErrFakeClockDeadlineExceeded)
-var ErrFakeClockDeadlineExceeded error = fmt.Errorf("clockwork.FakeClock: %w", context.DeadlineExceeded)
-
-// WithDeadline returns a context with a deadline based on a [FakeClock].
-//
-// The returned context ignores parent cancelation if the parent was cancelled
-// with a [context.DeadlineExceeded] error. Any other error returned by the
-// parent is treated normally, cancelling the returned context.
-//
-// If the parent is cancelled with a [context.DeadlineExceeded] error, the only
-// way to then cancel the returned context is by calling the returned
-// context.CancelFunc.
-func WithDeadline(parent context.Context, clock Clock, t time.Time) (context.Context, context.CancelFunc) {
-	if fc, ok := clock.(*FakeClock); ok {
-		return newFakeClockContext(parent, t, fc.newTimerAtTime(t, nil).Chan())
-	}
-	return context.WithDeadline(parent, t)
-}
-
-// WithTimeout returns a context with a timeout based on a [FakeClock].
-//
-// The returned context follows the same behaviors as [WithDeadline].
-func WithTimeout(parent context.Context, clock Clock, d time.Duration) (context.Context, context.CancelFunc) {
-	if fc, ok := clock.(*FakeClock); ok {
-		t, deadline := fc.newTimer(d, nil)
-		return newFakeClockContext(parent, deadline, t.Chan())
-	}
-	return context.WithTimeout(parent, d)
-}
-
-// fakeClockContext implements context.Context, using a fake clock for its
-// deadline.
-//
-// It ignores parent cancellation if the parent is cancelled with
-// context.DeadlineExceeded.
-type fakeClockContext struct {
-	parent   context.Context
-	deadline time.Time // The user-facing deadline based on the fake clock's time.
-
-	// Tracks timeout/deadline cancellation.
-	timerDone <-chan time.Time
-
-	// Tracks manual calls to the cancel function.
-	cancel       func() // Closes cancelCalled wrapped in a sync.Once.
-	cancelCalled chan struct{}
-
-	// The user-facing data from the context.Context interface.
-	ctxDone chan struct{} // Returned by Done().
-	err     error         // nil until ctxDone is ready to be closed.
-}
-
-func newFakeClockContext(parent context.Context, deadline time.Time, timer <-chan time.Time) (context.Context, context.CancelFunc) {
-	cancelCalled := make(chan struct{})
-	ctx := &fakeClockContext{
-		parent:       parent,
-		deadline:     deadline,
-		timerDone:    timer,
-		cancelCalled: cancelCalled,
-		ctxDone:      make(chan struct{}),
-		cancel: sync.OnceFunc(func() {
-			close(cancelCalled)
-		}),
-	}
-	ready := make(chan struct{}, 1)
-	go ctx.runCancel(ready)
-	<-ready // Wait until the cancellation goroutine is running.
-	return ctx, ctx.cancel
-}
-
-func (c *fakeClockContext) Deadline() (time.Time, bool) {
-	return c.deadline, true
-}
-
-func (c *fakeClockContext) Done() <-chan struct{} {
-	return c.ctxDone
-}
-
-func (c *fakeClockContext) Err() error {
-	<-c.Done() // Don't return the error before it is ready.
-	return c.err
-}
-
-func (c *fakeClockContext) Value(key any) any {
-	return c.parent.Value(key)
-}
-
-// runCancel runs the fakeClockContext's cancel goroutine and returns the
-// fakeClockContext's cancel function.
-//
-// fakeClockContext is then cancelled when any of the following occur:
-//
-//   - The fakeClockContext.done channel is closed by its timer.
-//   - The returned CancelFunc is executed.
-//   - The fakeClockContext's parent context is cancelled with an error other
-//     than context.DeadlineExceeded.
-func (c *fakeClockContext) runCancel(ready chan struct{}) {
-	parentDone := c.parent.Done()
-
-	// Close ready when done, just in case the ready signal races with other
-	// branches of our select statement below.
-	defer close(ready)
-
-	for c.err == nil {
-		select {
-		case <-c.timerDone:
-			c.err = ErrFakeClockDeadlineExceeded
-		case <-c.cancelCalled:
-			c.err = context.Canceled
-		case <-parentDone:
-			c.err = c.parent.Err()
-
-		case ready <- struct{}{}:
-			// Signals the cancellation goroutine has begun, in an attempt to minimize
-			// race conditions related to goroutine startup time.
-			ready = nil // This case statement can only fire once.
-		}
-	}
-	close(c.ctxDone)
-	return
-}

vendor/github.com/jonboulle/clockwork/ticker.go

@@ -1,71 +1,72 @@
 package clockwork
 
-import "time"
+import (
+	"time"
+)
 
-// Ticker provides an interface which can be used instead of directly using
-// [time.Ticker]. The real-time ticker t provides ticks through t.C which
-// becomes t.Chan() to make this channel requirement definable in this
-// interface.
+// Ticker provides an interface which can be used instead of directly
+// using the ticker within the time module. The real-time ticker t
+// provides ticks through t.C which becomes now t.Chan() to make
+// this channel requirement definable in this interface.
 type Ticker interface {
 	Chan() <-chan time.Time
-	Reset(d time.Duration)
 	Stop()
 }
 
 type realTicker struct{ *time.Ticker }
 
-func (r realTicker) Chan() <-chan time.Time {
-	return r.C
+func (rt *realTicker) Chan() <-chan time.Time {
+	return rt.C
 }
 
 type fakeTicker struct {
-	// The channel associated with the firer, used to send expiration times.
-	c chan time.Time
-
-	// The time when the ticker expires. Only meaningful if the ticker is currently
-	// one of a FakeClock's waiters.
-	exp time.Time
-
-	// reset and stop provide the implementation of the respective exported
-	// functions.
-	reset func(d time.Duration)
-	stop  func()
-
-	// The duration of the ticker.
-	d time.Duration
+	c      chan time.Time
+	stop   chan bool
+	clock  FakeClock
+	period time.Duration
 }
 
-func newFakeTicker(fc *FakeClock, d time.Duration) *fakeTicker {
-	var ft *fakeTicker
-	ft = &fakeTicker{
-		c: make(chan time.Time, 1),
-		d: d,
-		reset: func(d time.Duration) {
-			fc.l.Lock()
-			defer fc.l.Unlock()
-			ft.d = d
-			fc.setExpirer(ft, d)
-		},
-		stop: func() { fc.stop(ft) },
-	}
-	return ft
+func (ft *fakeTicker) Chan() <-chan time.Time {
+	return ft.c
 }
 
-func (f *fakeTicker) Chan() <-chan time.Time { return f.c }
-
-func (f *fakeTicker) Reset(d time.Duration) { f.reset(d) }
-
-func (f *fakeTicker) Stop() { f.stop() }
-
-func (f *fakeTicker) expire(now time.Time) *time.Duration {
-	// Never block on expiration.
-	select {
-	case f.c <- now:
-	default:
-	}
-	return &f.d
+func (ft *fakeTicker) Stop() {
+	ft.stop <- true
 }
 
-func (f *fakeTicker) expiration() time.Time { return f.exp }
-
-func (f *fakeTicker) setExpiration(t time.Time) { f.exp = t }
+// runTickThread initializes a background goroutine to send the tick time to the ticker channel
+// after every period. Tick events are discarded if the underlying ticker channel does not have
+// enough capacity.
+func (ft *fakeTicker) runTickThread() {
+	nextTick := ft.clock.Now().Add(ft.period)
+	next := ft.clock.After(ft.period)
+	go func() {
+		for {
+			select {
+			case <-ft.stop:
+				return
+			case <-next:
+				// We send the time that the tick was supposed to occur at.
+				tick := nextTick
+				// Before sending the tick, we'll compute the next tick time and star the clock.After call.
+				now := ft.clock.Now()
+				// First, figure out how many periods there have been between "now" and the time we were
+				// supposed to have trigged, then advance over all of those.
+				skipTicks := (now.Sub(tick) + ft.period - 1) / ft.period
+				nextTick = nextTick.Add(skipTicks * ft.period)
+				// Now, keep advancing until we are past now. This should happen at most once.
+				for !nextTick.After(now) {
+					nextTick = nextTick.Add(ft.period)
+				}
+				// Figure out how long between now and the next scheduled tick, then wait that long.
+				remaining := nextTick.Sub(now)
+				next = ft.clock.After(remaining)
+				// Finally, we can actually send the tick.
+				select {
+				case ft.c <- tick:
+				default:
+				}
+			}
+		}
+	}()
+}

vendor/github.com/jonboulle/clockwork/timer.go

@@ -1,79 +0,0 @@
-package clockwork
-
-import "time"
-
-// Timer provides an interface which can be used instead of directly using
-// [time.Timer]. The real-time timer t provides events through t.C which becomes
-// t.Chan() to make this channel requirement definable in this interface.
-type Timer interface {
-	Chan() <-chan time.Time
-	Reset(d time.Duration) bool
-	Stop() bool
-}
-
-type realTimer struct{ *time.Timer }
-
-func (r realTimer) Chan() <-chan time.Time {
-	return r.C
-}
-
-type fakeTimer struct {
-	// The channel associated with the firer, used to send expiration times.
-	c chan time.Time
-
-	// The time when the firer expires. Only meaningful if the firer is currently
-	// one of a FakeClock's waiters.
-	exp time.Time
-
-	// reset and stop provide the implementation of the respective exported
-	// functions.
-	reset func(d time.Duration) bool
-	stop  func() bool
-
-	// If present when the timer fires, the timer calls afterFunc in its own
-	// goroutine rather than sending the time on Chan().
-	afterFunc func()
-}
-
-func newFakeTimer(fc *FakeClock, afterfunc func()) *fakeTimer {
-	var ft *fakeTimer
-	ft = &fakeTimer{
-		c: make(chan time.Time, 1),
-		reset: func(d time.Duration) bool {
-			fc.l.Lock()
-			defer fc.l.Unlock()
-			// fc.l must be held across the calls to stopExpirer & setExpirer.
-			stopped := fc.stopExpirer(ft)
-			fc.setExpirer(ft, d)
-			return stopped
-		},
-		stop: func() bool { return fc.stop(ft) },
-
-		afterFunc: afterfunc,
-	}
-	return ft
-}
-
-func (f *fakeTimer) Chan() <-chan time.Time { return f.c }
-
-func (f *fakeTimer) Reset(d time.Duration) bool { return f.reset(d) }
-
-func (f *fakeTimer) Stop() bool { return f.stop() }
-
-func (f *fakeTimer) expire(now time.Time) *time.Duration {
-	if f.afterFunc != nil {
-		go f.afterFunc()
-		return nil
-	}
-
-	// Never block on expiration.
-	select {
-	case f.c <- now:
-	default:
-	}
-	return nil
-}
-
-func (f *fakeTimer) expiration() time.Time { return f.exp }
-
-func (f *fakeTimer) setExpiration(t time.Time) { f.exp = t }

vendor/github.com/libregraph/lico/bootstrap/backends/ldap/ldap.go

@@ -143,11 +143,10 @@ func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
 		AuthorizationEndpointURI: fullAuthorizationEndpointURL,
 		SignedOutEndpointURI:     fullSignedOutEndpointURL,
 
-		DefaultBannerLogo:        config.IdentifierDefaultBannerLogo,
-		DefaultSignInPageText:    config.IdentifierDefaultSignInPageText,
-		DefaultSignInPageLogoURI: config.IdentifierDefaultLogoTargetURI,
-		DefaultUsernameHintText:  config.IdentifierDefaultUsernameHintText,
-		UILocales:                config.IdentifierUILocales,
+		DefaultBannerLogo:       config.IdentifierDefaultBannerLogo,
+		DefaultSignInPageText:   config.IdentifierDefaultSignInPageText,
+		DefaultUsernameHintText: config.IdentifierDefaultUsernameHintText,
+		UILocales:               config.IdentifierUILocales,
 
 		Backend: identifierBackend,
 	})

vendor/github.com/libregraph/lico/bootstrap/backends/libregraph/libregraph.go

@@ -126,11 +126,10 @@ func NewIdentityManager(bs bootstrap.Bootstrap) (identity.Manager, error) {
 		AuthorizationEndpointURI: fullAuthorizationEndpointURL,
 		SignedOutEndpointURI:     fullSignedOutEndpointURL,
 
-		DefaultBannerLogo:        config.IdentifierDefaultBannerLogo,
-		DefaultSignInPageText:    config.IdentifierDefaultSignInPageText,
-		DefaultSignInPageLogoURI: config.IdentifierDefaultLogoTargetURI,
-		DefaultUsernameHintText:  config.IdentifierDefaultUsernameHintText,
-		UILocales:                config.IdentifierUILocales,
+		DefaultBannerLogo:       config.IdentifierDefaultBannerLogo,
+		DefaultSignInPageText:   config.IdentifierDefaultSignInPageText,
+		DefaultUsernameHintText: config.IdentifierDefaultUsernameHintText,
+		UILocales:               config.IdentifierUILocales,
 
 		Backend: identifierBackend,
 	})

vendor/github.com/libregraph/lico/bootstrap/bootstrap.go

@@ -33,7 +33,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/longsleep/rndm"
 	"github.com/sirupsen/logrus"
 
@@ -260,9 +260,6 @@ func (bs *bootstrap) initialize(settings *Settings) error {
 	if settings.IdentifierDefaultSignInPageText != "" {
 		bs.config.IdentifierDefaultSignInPageText = &settings.IdentifierDefaultSignInPageText
 	}
-	if settings.IdentifierDefaultLogoTargetURI != "" {
-		bs.config.IdentifierDefaultLogoTargetURI = &settings.IdentifierDefaultLogoTargetURI
-	}
 	if settings.IdentifierDefaultUsernameHintText != "" {
 		bs.config.IdentifierDefaultUsernameHintText = &settings.IdentifierDefaultUsernameHintText
 	}

vendor/github.com/libregraph/lico/bootstrap/config.go

@@ -24,7 +24,7 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/golang-jwt/jwt/v5"
+	"github.com/golang-jwt/jwt/v4"
 
 	"github.com/libregraph/lico/config"
 )
@@ -51,7 +51,6 @@ type Config struct {
 	IdentifierScopesConf              string
 	IdentifierDefaultBannerLogo       []byte
 	IdentifierDefaultSignInPageText   *string
-	IdentifierDefaultLogoTargetURI    *string
 	IdentifierDefaultUsernameHintText *string
 	IdentifierUILocales               []string
 

vendor/github.com/libregraph/lico/bootstrap/settings.go

@@ -44,7 +44,6 @@ type Settings struct {
 	IdentifierScopesConf              string
 	IdentifierDefaultBannerLogo       string
 	IdentifierDefaultSignInPageText   string
-	IdentifierDefaultLogoTargetURI    string
 	IdentifierDefaultUsernameHintText string
 	IdentifierUILocales               []string
 	SigningKid                        string

vendor/github.com/libregraph/lico/bootstrap/utils.go

@@ -16,8 +16,10 @@ import (
 	"strings"
 
 	"github.com/go-jose/go-jose/v3"
-	"github.com/golang-jwt/jwt/v5"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/sirupsen/logrus"
+
+	"github.com/libregraph/lico/signing"
 )
 
 func parseJSONWebKey(jsonBytes []byte) (*jose.JSONWebKey, error) {
@@ -295,7 +297,7 @@ func validateSigners(bs *bootstrap) error {
 		if !haveECDSA {
 			return fmt.Errorf("no private key for signing method: %s", bs.config.SigningMethod.Alg())
 		}
-	case *jwt.SigningMethodEd25519:
+	case *signing.SigningMethodEdwardsCurve:
 		if !haveEd25519 {
 			return fmt.Errorf("no private key for signing method: %s", bs.config.SigningMethod.Alg())
 		}

vendor/github.com/libregraph/lico/claims.go

@@ -20,7 +20,7 @@ package lico
 import (
 	"errors"
 
-	"github.com/golang-jwt/jwt/v5"
+	"github.com/golang-jwt/jwt/v4"
 
 	"github.com/libregraph/lico/oidc"
 	"github.com/libregraph/lico/oidc/payload"
@@ -67,7 +67,7 @@ const (
 
 // AccessTokenClaims define the claims found in access tokens issued.
 type AccessTokenClaims struct {
-	jwt.RegisteredClaims
+	jwt.StandardClaims
 
 	TokenType TokenTypeValue `json:"lg.t"`
 
@@ -81,16 +81,20 @@ type AccessTokenClaims struct {
 	*oidc.SessionClaims
 }
 
-// Validate implements the jwt.ClaimsValidator interface.
-func (c AccessTokenClaims) Validate() error {
-	if !c.TokenType.Is(TokenTypeAccessToken) {
-		return errors.New("not an access token")
+// Valid implements the jwt.Claims interface.
+func (c AccessTokenClaims) Valid() error {
+	if err := c.StandardClaims.Valid(); err != nil {
+		return err
 	}
-	if len(c.Audience) != 1 {
-		return errors.New("access token must have exactly one audience value")
+	if c.IdentityClaims != nil {
+		if err := c.IdentityClaims.Valid(); err != nil {
+			return err
+		}
 	}
-
-	return nil
+	if c.TokenType.Is(TokenTypeAccessToken) {
+		return nil
+	}
+	return errors.New("not an access token")
 }
 
 // AuthorizedScopes returns a map with scope keys and true value of all scopes
@@ -106,7 +110,7 @@ func (c AccessTokenClaims) AuthorizedScopes() map[string]bool {
 
 // RefreshTokenClaims define the claims used by refresh tokens.
 type RefreshTokenClaims struct {
-	jwt.RegisteredClaims
+	jwt.StandardClaims
 
 	TokenType TokenTypeValue `json:"lg.t"`
 
@@ -119,17 +123,20 @@ type RefreshTokenClaims struct {
 	IdentityProvider string        `json:"lg.p,omitempty"`
 }
 
-// Validate implements the jwt.ClaimsValidator interface.
-func (c RefreshTokenClaims) Validate() error {
-	if !c.TokenType.Is(TokenTypeRefreshToken) {
-		return errors.New("not a refresh token")
+// Valid implements the jwt.Claims interface.
+func (c RefreshTokenClaims) Valid() error {
+	if err := c.StandardClaims.Valid(); err != nil {
+		return err
 	}
-
-	if len(c.Audience) != 1 {
-		return errors.New("refresh token must have exactly one audience value")
+	if c.IdentityClaims != nil {
+		if err := c.IdentityClaims.Valid(); err != nil {
+			return err
+		}
 	}
-
-	return nil
+	if c.TokenType.Is(TokenTypeRefreshToken) {
+		return nil
+	}
+	return errors.New("not a refresh token")
 }
 
 // NumericIDClaims define the claims used with the konnect/id scope.
@@ -140,8 +147,8 @@ type NumericIDClaims struct {
 	NumericIDUsername string `json:"username,omitempty"`
 }
 
-// Validate implements the jwt.ClaimsValidator interface.
-func (c NumericIDClaims) Validate() error {
+// Valid implements the jwt.Claims interface.
+func (c NumericIDClaims) Valid() error {
 	if c.NumericIDUsername == "" {
 		return errors.New("username claim not valid")
 	}
@@ -153,8 +160,8 @@ type UniqueUserIDClaims struct {
 	UniqueUserID string `json:"lg.uuid,omitempty"`
 }
 
-// Validate implements the jwt.ClaimsValidator interface.
-func (c UniqueUserIDClaims) Validate() error {
+// Valid implements the jwt.Claims interface.
+func (c UniqueUserIDClaims) Valid() error {
 	if c.UniqueUserID == "" {
 		return errors.New("lg.uuid claim not valid")
 	}

vendor/github.com/libregraph/lico/context.go

@@ -21,7 +21,7 @@ import (
 	"context"
 	"net/http"
 
-	"github.com/golang-jwt/jwt/v5"
+	"github.com/golang-jwt/jwt/v4"
 )
 
 // key is an unexported type for keys defined in this package.

vendor/github.com/libregraph/lico/identifier/api.go

@@ -47,11 +47,10 @@ func (i Identifier) writeHelloResponse(rw http.ResponseWriter, req *http.Request
 	response := &HelloResponse{
 		State: r.State,
 		Branding: &meta.Branding{
-			BannerLogo:        i.defaultBannerLogo,
-			UsernameHintText:  i.Config.DefaultUsernameHintText,
-			SignInPageText:    i.Config.DefaultSignInPageText,
-			SignInPageLogoURI: i.Config.DefaultSignInPageLogoURI,
-			Locales:           i.Config.UILocales,
+			BannerLogo:       i.defaultBannerLogo,
+			UsernameHintText: i.Config.DefaultUsernameHintText,
+			SignInPageText:   i.Config.DefaultSignInPageText,
+			Locales:          i.Config.UILocales,
 		},
 	}