S3: Enforce bucket policy (#7471)

* evaluate policies during authorization

* cache bucket policy

* refactor

* matching with regex special characters

* Case Sensitivity, pattern cache, Dead Code Removal

* Fixed Typo, Restored []string Case, Added Cache Size Limit

* hook up with policy engine

* remove old implementation

* action mapping

* validate

* if not specified, fall through to IAM checks

* fmt

* Fail-close on policy evaluation errors

* Explicit `Allow` bypasses IAM checks

* fix error message

* arn:seaweed => arn:aws

* remove legacy support

* fix tests

* Clean up bucket policy after this test

* fix for tests

* address comments

* security fixes

* fix tests

* temp comment out

1 files changed, 4 insertions, 4 deletions

diff --git a/weed/s3api/policy_engine/engine_test.go b/weed/s3api/policy_engine/engine_test.go
index 799579ce6..1bb36dc4a 100644
--- a/weed/s3api/policy_engine/engine_test.go
+++ b/weed/s3api/policy_engine/engine_test.go
@@ -76,8 +76,8 @@ func TestPolicyEngine(t *testing.T) {
 	}
 
 	result = engine.EvaluatePolicy("test-bucket", args)
-	if result != PolicyResultDeny {
-		t.Errorf("Expected Deny for non-matching action, got %v", result)
+	if result != PolicyResultIndeterminate {
+		t.Errorf("Expected Indeterminate for non-matching action (should fall through to IAM), got %v", result)
 	}
 
 	// Test GetBucketPolicy
@@ -471,8 +471,8 @@ func TestPolicyEvaluationWithConditions(t *testing.T) {
 	// Test non-matching IP
 	args.Conditions["aws:SourceIp"] = []string{"10.0.0.1"}
 	result = engine.EvaluatePolicy("test-bucket", args)
-	if result != PolicyResultDeny {
-		t.Errorf("Expected Deny for non-matching IP, got %v", result)
+	if result != PolicyResultIndeterminate {
+		t.Errorf("Expected Indeterminate for non-matching IP (should fall through to IAM), got %v", result)
 	}
 }