Address Onder's amazing comprehensive review

Harden catalog server security, configuration, and cross-catalog safety

Refactor GetRestCatalogOptionsFromCatalog into a clean dispatcher
(ResolveRestCatalogOptions) with two explicit builders:
BuildRestCatalogOptionsFromGUCs for the built-in 'rest' path and
BuildRestCatalogOptionsFromServer for user-created servers, plus shared
helpers ApplyGUCDefaults, ApplyServerOptionOverrides, and
ValidateRestCatalogOptions.  Add CopyRestCatalogOptions for safe
deep-copy into a target memory context.

Unify the three separate server option lists (whitelist array, errhint
string, applier chain) into a single IcebergCatalogOptionDesc descriptor
table with type, offsetof, and validation flags.  Adding or removing an
option is now a one-line change.

Add DDL-time value validation: reject empty strings for client_id,
client_secret, scope, catalog_name; require a URI scheme for
rest_endpoint, oauth_endpoint, location_prefix.

Require ACL_USAGE on user-created iceberg_catalog servers at CREATE TABLE
time, matching core's CREATE FOREIGN TABLE semantics.  Record a
DEPENDENCY_NORMAL from iceberg tables to their catalog server in
pg_depend so DROP SERVER is blocked (and CASCADE drops them).

Block ALTER SERVER RENAME for iceberg_catalog servers since dependent
tables store the server name as a string in ftoptions.

Block ALTER SERVER SET rest_endpoint when dependent writable tables exist
to prevent silently redirecting them to a different REST catalog.

Make GetRestCatalogName always return get_database_name(MyDatabaseId) for
writable tables so ALTER SERVER ADD catalog_name cannot re-route an
existing table to a different namespace.

Fix token cache hash key regression: zero the key buffer with MemSet
before strlcpy in BuildTokenCacheKey.  Add syscache invalidation callback
on FOREIGNSERVEROID to reset the token cache on ALTER/DROP SERVER, using
CacheMemoryContext as parent.  Add NULL guard on opts in
GetRestCatalogAccessToken.

Fix default_catalog GUC check hook to accept values outside a transaction
(ALTER SYSTEM + pg_reload_conf path), mirroring how PostgreSQL handles
check_default_tablespace.

Introduce ValidateXactRestCatalog as a fail-fast guard that checks
cross-catalog DML at statement time rather than at XACT_EVENT_PRE_COMMIT.
Planted in postgresBeginForeignModify and AddQueryResultToTable.  The
existing pre-commit check is retained as a belt-and-suspenders fallback.

Parametrize test_writable_rest_iceberg_table over built-in 'rest' and
user-created server paths.  Add tests for USAGE enforcement, dependency
tracking, server rename blocking, rest_endpoint blocking, catalog_name
re-routing, token cache invalidation, ALTER SYSTEM deferred validation,
option value validation, multi-table same-server transactions, and
cross-catalog rejection cleanup.

Signed-off-by: sfc-gh-npuka <naisila.puka@snowflake.com>

Author: sfc-gh-npuka

pg_lake_iceberg/include/pg_lake/rest_catalog/rest_catalog.h

@@ -101,8 +101,9 @@ typedef struct RestCatalogRequest
 #define GET_REST_CATALOG_METADATA_LOCATION "%s/api/catalog/v1/%s/namespaces/%s/tables/%s"
 
 /* Catalog options resolution */
-extern PGDLLEXPORT RestCatalogOptions * GetRestCatalogOptionsFromCatalog(const char *catalog);
+extern PGDLLEXPORT RestCatalogOptions * ResolveRestCatalogOptions(const char *catalog);
 extern PGDLLEXPORT RestCatalogOptions * GetRestCatalogOptionsForRelation(Oid relationId);
+extern PGDLLEXPORT RestCatalogOptions * CopyRestCatalogOptions(MemoryContext dst, const RestCatalogOptions * src);
 
 extern PGDLLEXPORT void RegisterNamespaceToRestCatalog(RestCatalogOptions * opts, const char *catalogName, const char *namespaceName);
 extern PGDLLEXPORT void StartStageRestCatalogIcebergTableCreate(Oid relationId);

pg_lake_iceberg/src/init.c

@@ -375,10 +375,16 @@ IcebergDefaultCatalogCheckHook(char **newvalue, void **extra, GucSource source)
 		return true;
 
 	/*
-	 * When catalog access is available, also accept user-created
-	 * iceberg_catalog foreign servers with TYPE 'rest'.
+	 * Outside a transaction we cannot do catalog lookups to verify that the
+	 * name refers to a valid iceberg_catalog server.  Accept the value on
+	 * faith; an invalid name will error at first use.  This mirrors how
+	 * PostgreSQL handles check_default_tablespace (see
+	 * src/backend/commands/tablespace.c).
 	 */
-	if (IsTransactionState() && IsRestCatalog(newCatalog))
+	if (!IsTransactionState())
+		return true;
+
+	if (IsRestCatalog(newCatalog))
 		return true;
 
 	GUC_check_errdetail("pg_lake_iceberg: allowed iceberg catalog options are '" POSTGRES_CATALOG_NAME "', "