S3: Enforce bucket policy (#7471)

* evaluate policies during authorization

* cache bucket policy

* refactor

* matching with regex special characters

* Case Sensitivity, pattern cache, Dead Code Removal

* Fixed Typo, Restored []string Case, Added Cache Size Limit

* hook up with policy engine

* remove old implementation

* action mapping

* validate

* if not specified, fall through to IAM checks

* fmt

* Fail-close on policy evaluation errors

* Explicit `Allow` bypasses IAM checks

* fix error message

* arn:seaweed => arn:aws

* remove legacy support

* fix tests

* Clean up bucket policy after this test

* fix for tests

* address comments

* security fixes

* fix tests

* temp comment out

1 files changed, 4 insertions, 2 deletions

diff --git a/weed/s3api/policy_engine/engine.go b/weed/s3api/policy_engine/engine.go
index 709fafda4..01af3c240 100644
--- a/weed/s3api/policy_engine/engine.go
+++ b/weed/s3api/policy_engine/engine.go
@@ -109,7 +109,7 @@ func (engine *PolicyEngine) evaluateCompiledPolicy(policy *CompiledPolicy, args
 	// AWS Policy evaluation logic:
 	// 1. Check for explicit Deny - if found, return Deny
 	// 2. Check for explicit Allow - if found, return Allow
-	// 3. If no explicit Allow is found, return Deny (default deny)
+	// 3. If no matching statements, return Indeterminate (fall through to IAM)
 
 	hasExplicitAllow := false
 
@@ -128,7 +128,9 @@ func (engine *PolicyEngine) evaluateCompiledPolicy(policy *CompiledPolicy, args
 		return PolicyResultAllow
 	}
 
-	return PolicyResultDeny // Default deny
+	// No matching statements - return Indeterminate to fall through to IAM
+	// This allows IAM policies to grant access even when bucket policy doesn't mention the action
+	return PolicyResultIndeterminate
 }
 
 // evaluateStatement evaluates a single policy statement