s3: enforce authentication and JSON error format for Iceberg REST Catalog (#8192)

* s3: enforce authentication and JSON error format for Iceberg REST Catalog

* s3/iceberg: align error exception types with OpenAPI spec examples

* s3api: refactor AuthenticateRequest to return identity object

* s3/iceberg: propagate full identity object to request context

* s3/iceberg: differentiate NotAuthorizedException and ForbiddenException

* s3/iceberg: reject requests if authenticator is nil to prevent auth bypass

* s3/iceberg: refactor Auth middleware to build context incrementally and use switch for error mapping

* s3api: update misleading comment for authRequestWithAuthType

* s3api: return ErrAccessDenied if IAM is not configured to prevent auth bypass

* s3/iceberg: optimize context update in Auth middleware

* s3api: export CanDo for external authorization use

* s3/iceberg: enforce identity-based authorization in all API handlers

* s3api: fix compilation errors by updating internal CanDo references

* s3/iceberg: robust identity validation and consistent action usage in handlers

* s3api: complete CanDo rename across tests and policy engine integration

* s3api: fix integration tests by allowing admin access when auth is disabled and explicit gRPC ports

* duckdb

* create test bucket

weed/s3api/s3api_object_handlers_list_test.go

@@ -390,8 +390,8 @@ func TestObjectLevelListPermissions(t *testing.T) {
 			},
 		}
 
-		// Test cases for canDo method
-		// Note: canDo concatenates bucket + objectKey, so "test-bucket" + "/allowed-prefix/file.txt" = "test-bucket/allowed-prefix/file.txt"
+		// Test cases for CanDo method
+		// Note: CanDo concatenates bucket + objectKey, so "test-bucket" + "/allowed-prefix/file.txt" = "test-bucket/allowed-prefix/file.txt"
 		testCases := []struct {
 			name        string
 			action      Action
@@ -444,7 +444,7 @@ func TestObjectLevelListPermissions(t *testing.T) {
 
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
-				result := identity.canDo(tc.action, tc.bucket, tc.object)
+				result := identity.CanDo(tc.action, tc.bucket, tc.object)
 				assert.Equal(t, tc.shouldAllow, result, tc.description)
 			})
 		}
@@ -469,12 +469,12 @@ func TestObjectLevelListPermissions(t *testing.T) {
 		}
 
 		for _, tc := range testCases {
-			result := identity.canDo("List", "test-bucket", tc.object)
+			result := identity.CanDo("List", "test-bucket", tc.object)
 			assert.True(t, result, "Bucket-level permission should allow access to %s", tc.object)
 		}
 
 		// Should deny access to different buckets
-		result := identity.canDo("List", "other-bucket", "/file.txt")
+		result := identity.CanDo("List", "other-bucket", "/file.txt")
 		assert.False(t, result, "Should deny access to objects in different buckets")
 	})
 
@@ -553,7 +553,7 @@ func TestObjectLevelListPermissions(t *testing.T) {
 
 		// After our middleware fix, it should check permission for the prefix
 		// Simulate: action=ACTION_LIST && object=="" && prefix="/txzl/" → object="/txzl/"
-		result := identity.canDo("List", "bdaai-shared-bucket", "/txzl/")
+		result := identity.CanDo("List", "bdaai-shared-bucket", "/txzl/")
 
 		// This should be allowed because:
 		// target = "List:bdaai-shared-bucket/txzl/"
@@ -562,11 +562,11 @@ func TestObjectLevelListPermissions(t *testing.T) {
 		assert.True(t, result, "User with 'List:bdaai-shared-bucket/txzl/*' should be able to list with prefix txzl/")
 
 		// Test that they can't list with a different prefix
-		result = identity.canDo("List", "bdaai-shared-bucket", "/other-prefix/")
+		result = identity.CanDo("List", "bdaai-shared-bucket", "/other-prefix/")
 		assert.False(t, result, "User should not be able to list with a different prefix")
 
 		// Test that they can't list a different bucket
-		result = identity.canDo("List", "other-bucket", "/txzl/")
+		result = identity.CanDo("List", "other-bucket", "/txzl/")
 		assert.False(t, result, "User should not be able to list a different bucket")
 	})