s3: enforce authentication and JSON error format for Iceberg REST Catalog (#8192)

* s3: enforce authentication and JSON error format for Iceberg REST Catalog

* s3/iceberg: align error exception types with OpenAPI spec examples

* s3api: refactor AuthenticateRequest to return identity object

* s3/iceberg: propagate full identity object to request context

* s3/iceberg: differentiate NotAuthorizedException and ForbiddenException

* s3/iceberg: reject requests if authenticator is nil to prevent auth bypass

* s3/iceberg: refactor Auth middleware to build context incrementally and use switch for error mapping

* s3api: update misleading comment for authRequestWithAuthType

* s3api: return ErrAccessDenied if IAM is not configured to prevent auth bypass

* s3/iceberg: optimize context update in Auth middleware

* s3api: export CanDo for external authorization use

* s3/iceberg: enforce identity-based authorization in all API handlers

* s3api: fix compilation errors by updating internal CanDo references

* s3/iceberg: robust identity validation and consistent action usage in handlers

* s3api: complete CanDo rename across tests and policy engine integration

* s3api: fix integration tests by allowing admin access when auth is disabled and explicit gRPC ports

* duckdb

* create test bucket

test/s3tables/catalog/iceberg_catalog_test.go

@@ -22,10 +22,14 @@ type TestEnvironment struct {
 	weedBinary      string
 	dataDir         string
 	s3Port          int
+	s3GrpcPort      int
 	icebergPort     int
 	masterPort      int
+	masterGrpcPort  int
 	filerPort       int
+	filerGrpcPort   int
 	volumePort      int
+	volumeGrpcPort  int
 	weedProcess     *exec.Cmd
 	weedCancel      context.CancelFunc
 	dockerAvailable bool
@@ -93,28 +97,49 @@ func NewTestEnvironment(t *testing.T) *TestEnvironment {
 	if err != nil {
 		t.Fatalf("Failed to get free port for Iceberg: %v", err)
 	}
+	s3GrpcPort, err := getFreePort()
+	if err != nil {
+		t.Fatalf("Failed to get free port for S3 gRPC: %v", err)
+	}
 	masterPort, err := getFreePort()
 	if err != nil {
 		t.Fatalf("Failed to get free port for Master: %v", err)
 	}
+	masterGrpcPort, err := getFreePort()
+	if err != nil {
+		t.Fatalf("Failed to get free port for Master gRPC: %v", err)
+	}
 	filerPort, err := getFreePort()
 	if err != nil {
 		t.Fatalf("Failed to get free port for Filer: %v", err)
 	}
+	filerGrpcPort, err := getFreePort()
+	if err != nil {
+		t.Fatalf("Failed to get free port for Filer gRPC: %v", err)
+	}
 	volumePort, err := getFreePort()
 	if err != nil {
 		t.Fatalf("Failed to get free port for Volume: %v", err)
 	}
 
+	volumeGrpcPort, err := getFreePort()
+	if err != nil {
+		t.Fatalf("Failed to get free port for Volume gRPC: %v", err)
+	}
+
 	return &TestEnvironment{
 		seaweedDir:      seaweedDir,
 		weedBinary:      weedBinary,
 		dataDir:         dataDir,
 		s3Port:          s3Port,
+		s3GrpcPort:      s3GrpcPort,
 		icebergPort:     icebergPort,
 		masterPort:      masterPort,
+		masterGrpcPort:  masterGrpcPort,
 		filerPort:       filerPort,
+		filerGrpcPort:   filerGrpcPort,
 		volumePort:      volumePort,
+		volumeGrpcPort:  volumeGrpcPort,
 		dockerAvailable: hasDocker(),
 	}
 }
@@ -138,9 +163,13 @@ func (env *TestEnvironment) StartSeaweedFS(t *testing.T) {
 
 	cmd := exec.CommandContext(ctx, env.weedBinary, "mini",
 		"-master.port", fmt.Sprintf("%d", env.masterPort),
+		"-master.port.grpc", fmt.Sprintf("%d", env.masterGrpcPort),
 		"-volume.port", fmt.Sprintf("%d", env.volumePort),
+		"-volume.port.grpc", fmt.Sprintf("%d", env.volumeGrpcPort),
 		"-filer.port", fmt.Sprintf("%d", env.filerPort),
+		"-filer.port.grpc", fmt.Sprintf("%d", env.filerGrpcPort),
 		"-s3.port", fmt.Sprintf("%d", env.s3Port),
+		"-s3.port.grpc", fmt.Sprintf("%d", env.s3GrpcPort),
 		"-s3.port.iceberg", fmt.Sprintf("%d", env.icebergPort),
 		"-dir", env.dataDir,
 	)
@@ -244,6 +273,9 @@ func TestIcebergNamespaces(t *testing.T) {
 
 	env.StartSeaweedFS(t)
 
+	// Create the default table bucket first via S3
+	createTableBucket(t, env, "default")
+
 	// Test GET /v1/namespaces (should return empty list initially)
 	resp, err := http.Get(env.IcebergURL() + "/v1/namespaces")
 	if err != nil {
@@ -257,6 +289,33 @@ func TestIcebergNamespaces(t *testing.T) {
 	}
 }
 
+// createTableBucket creates a table bucket via the S3Tables REST API
+func createTableBucket(t *testing.T, env *TestEnvironment, bucketName string) {
+	t.Helper()
+
+	// Use S3Tables REST API to create the bucket
+	endpoint := fmt.Sprintf("http://localhost:%d/buckets", env.s3Port)
+
+	reqBody := fmt.Sprintf(`{"name":"%s"}`, bucketName)
+	req, err := http.NewRequest(http.MethodPut, endpoint, strings.NewReader(reqBody))
+	if err != nil {
+		t.Fatalf("Failed to create request: %v", err)
+	}
+	req.Header.Set("Content-Type", "application/x-amz-json-1.1")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("Failed to create table bucket %s: %v", bucketName, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusConflict {
+		body, _ := io.ReadAll(resp.Body)
+		t.Fatalf("Failed to create table bucket %s, status %d: %s", bucketName, resp.StatusCode, body)
+	}
+	t.Logf("Created table bucket %s", bucketName)
+}
+
 // TestDuckDBIntegration tests Iceberg catalog operations using DuckDB
 // This test requires Docker to be available
 func TestDuckDBIntegration(t *testing.T) {
@@ -294,8 +353,10 @@ SELECT 'Iceberg extension loaded successfully' as result;
 	cmd := exec.Command("docker", "run", "--rm",
 		"-v", fmt.Sprintf("%s:/test", env.dataDir),
 		"--add-host", "host.docker.internal:host-gateway",
+		"--entrypoint", "duckdb",
 		"duckdb/duckdb:latest",
-		"-c", ".read /test/test.sql",
+		"-init", "/test/test.sql",
+		"-c", "SELECT 1",
 	)
 
 	output, err := cmd.CombinedOutput()