feat: Integrate JWT authentication with S3 request processing

- Add JWT Bearer token authentication support to S3 request processing
- Implement IAM integration for JWT token validation and authorization
- Add session token and principal extraction for policy enforcement
- Enhanced debugging and logging for authentication flow
- Support for both IAM and fallback authorization modes

weed/s3api/auth_credentials.go

@@ -442,11 +442,12 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 		glog.V(3).Infof("unsigned streaming upload")
 		return identity, s3err.ErrNone
 	case authTypeJWT:
-		glog.V(3).Infof("jwt auth type")
+		glog.V(0).Infof("jwt auth type detected, iamIntegration != nil? %t", iam.iamIntegration != nil)
 		r.Header.Set(s3_constants.AmzAuthType, "Jwt")
 		if iam.iamIntegration != nil {
 			return iam.authenticateJWTWithIAM(r)
 		}
+		glog.V(0).Infof("IAM integration is nil, returning ErrNotImplemented")
 		return identity, s3err.ErrNotImplemented
 	case authTypeAnonymous:
 		authType = "Anonymous"
@@ -485,12 +486,16 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 		// ListBuckets operation - authorization handled per-bucket in the handler
 	} else {
 		// Use enhanced authorization if IAM integration is available
-		if iam.iamIntegration != nil && r.Header.Get("X-SeaweedFS-Session-Token") != "" {
+		sessionToken := r.Header.Get("X-SeaweedFS-Session-Token")
+		glog.V(0).Infof("Authorization check: iamIntegration != nil? %t, sessionToken != \"\"? %t, sessionToken=%s", iam.iamIntegration != nil, sessionToken != "", sessionToken)
+		if iam.iamIntegration != nil && sessionToken != "" {
+			glog.V(0).Infof("Using IAM authorization for action=%s, bucket=%s, object=%s", action, bucket, object)
 			if errCode := iam.authorizeWithIAM(r, identity, action, bucket, object); errCode != s3err.ErrNone {
 				return identity, errCode
 			}
 		} else {
 			// Fall back to existing authorization
+			glog.V(0).Infof("Using fallback authorization for action=%s, bucket=%s, object=%s", action, bucket, object)
 			if !identity.canDo(action, bucket, object) {
 				return identity, s3err.ErrAccessDenied
 			}
@@ -607,8 +612,10 @@ func (iam *IdentityAccessManagement) SetIAMIntegration(integration *S3IAMIntegra
 func (iam *IdentityAccessManagement) authenticateJWTWithIAM(r *http.Request) (*Identity, s3err.ErrorCode) {
 	ctx := r.Context()
 
+	glog.V(0).Infof("authenticateJWTWithIAM: starting JWT authentication")
 	// Use IAM integration to authenticate JWT
 	iamIdentity, errCode := iam.iamIntegration.AuthenticateJWT(ctx, r)
+	glog.V(0).Infof("authenticateJWTWithIAM: AuthenticateJWT returned errCode=%s", errCode)
 	if errCode != s3err.ErrNone {
 		return nil, errCode
 	}
@@ -624,6 +631,7 @@ func (iam *IdentityAccessManagement) authenticateJWTWithIAM(r *http.Request) (*I
 	r.Header.Set("X-SeaweedFS-Session-Token", iamIdentity.SessionToken)
 	r.Header.Set("X-SeaweedFS-Principal", iamIdentity.Principal)
 
+	glog.V(0).Infof("authenticateJWTWithIAM: successfully authenticated, sessionToken=%s, principal=%s", iamIdentity.SessionToken, iamIdentity.Principal)
 	return identity, s3err.ErrNone
 }