s3: add s3:ExistingObjectTag condition support for bucket policies (#7677)

* s3: add s3:ExistingObjectTag condition support in policy engine

Add support for s3:ExistingObjectTag/<tag-key> condition keys in bucket
policies, allowing access control based on object tags.

Changes:
- Add ObjectEntry field to PolicyEvaluationArgs (entry.Extended metadata)
- Update EvaluateConditions to handle s3:ExistingObjectTag/<key> format
- Extract tag value from entry metadata using X-Amz-Tagging-<key> prefix

This enables policies like:
{
  "Condition": {
    "StringEquals": {
      "s3:ExistingObjectTag/status": ["public"]
    }
  }
}

Fixes: https://github.com/seaweedfs/seaweedfs/issues/7447

* s3: update EvaluatePolicy to accept object entry for tag conditions

Update BucketPolicyEngine.EvaluatePolicy to accept objectEntry parameter
(entry.Extended metadata) for evaluating tag-based policy conditions.

Changes:
- Add objectEntry parameter to EvaluatePolicy method
- Update callers in auth_credentials.go and s3api_bucket_handlers.go
- Pass nil for objectEntry in auth layer (entry fetched later in handlers)

For tag-based conditions to work, handlers should call EvaluatePolicy
with the object's entry.Extended after fetching the entry from filer.

* s3: add tests for s3:ExistingObjectTag policy conditions

Add comprehensive tests for object tag-based policy conditions:

- TestExistingObjectTagCondition: Basic tag matching scenarios
  - Matching/non-matching tag values
  - Missing tags, no tags, empty tags
  - Multiple tags with one matching

- TestExistingObjectTagConditionMultipleTags: Multiple tag conditions
  - Both tags match
  - Only one tag matches

- TestExistingObjectTagDenyPolicy: Deny policies with tag conditions
  - Default allow without tag
  - Deny when specific tag present

* s3: document s3:ExistingObjectTag support and feature status

Update policy engine documentation:

- Add s3:ExistingObjectTag/<tag-key> to supported condition keys
- Add 'Object Tag-Based Access Control' section with examples
- Add 'Feature Status' section with implemented and planned features

Planned features for future implementation:
- s3:RequestObjectTag/<key>
- s3:RequestObjectTagKeys
- s3:x-amz-server-side-encryption
- Cross-account access

* Implement tag-based policy re-check in handlers

- Add checkPolicyWithEntry helper to S3ApiServer for handlers to re-check
  policy after fetching object entry (for s3:ExistingObjectTag conditions)
- Add HasPolicyForBucket method to policy engine for efficient check
- Integrate policy re-check in GetObjectHandler after entry is fetched
- Integrate policy re-check in HeadObjectHandler after entry is fetched
- Update auth_credentials.go comments to explain two-phase evaluation
- Update documentation with supported operations for tag-based conditions

This implements 'Approach 1' where handlers re-check the policy with
the object entry after fetching it, allowing tag-based conditions to
be properly evaluated.

* Add integration tests for s3:ExistingObjectTag conditions

- Add TestCheckPolicyWithEntry: tests checkPolicyWithEntry helper with various
  tag scenarios (matching tags, non-matching tags, empty entry, nil entry)
- Add TestCheckPolicyWithEntryNoPolicyForBucket: tests early return when no policy
- Add TestCheckPolicyWithEntryNilPolicyEngine: tests nil engine handling
- Add TestCheckPolicyWithEntryDenyPolicy: tests deny policies with tag conditions
- Add TestHasPolicyForBucket: tests HasPolicyForBucket method

These tests cover the Phase 2 policy evaluation with object entry metadata,
ensuring tag-based conditions are properly evaluated.

* Address code review nitpicks

- Remove unused extractObjectTags placeholder function (engine.go)
- Add clarifying comment about s3:ExistingObjectTag/<key> evaluation
- Consolidate duplicate tag-based examples in README
- Factor out tagsToEntry helper to package level in tests

* Address code review feedback

- Fix unsafe type assertions in GetObjectHandler and HeadObjectHandler
  when getting identity from context (properly handle type assertion failure)
- Extract getConditionContextValue helper to eliminate duplicated logic
  between EvaluateConditions and EvaluateConditionsLegacy
- Ensure consistent handling of missing condition keys (always return
  empty slice)

* Fix GetObjectHandler to match HeadObjectHandler pattern

Add safety check for nil objectEntryForSSE before tag-based policy
evaluation, ensuring tag-based conditions are always evaluated rather
than silently skipped if entry is unexpectedly nil.

Addresses review comment from Copilot.

* Fix HeadObject action name in docs for consistency

Change 'HeadObject' to 's3:HeadObject' to match other action names.

* Extract recheckPolicyWithObjectEntry helper to reduce duplication

Move the repeated identity extraction and policy re-check logic from
GetObjectHandler and HeadObjectHandler into a shared helper method.

* Add validation for empty tag key in s3:ExistingObjectTag condition

Prevent potential issues with malformed policies containing
s3:ExistingObjectTag/ (empty tag key after slash).

1 files changed, 244 insertions, 0 deletions

diff --git a/weed/s3api/policy_engine/engine_test.go b/weed/s3api/policy_engine/engine_test.go
index 1bb36dc4a..4de537ac1 100644
--- a/weed/s3api/policy_engine/engine_test.go
+++ b/weed/s3api/policy_engine/engine_test.go
@@ -5,9 +5,23 @@ import (
 	"net/url"
 	"testing"
 
+	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
 )
 
+// tagsToEntry converts a map of tag key-value pairs to the entry.Extended format
+// used for s3:ExistingObjectTag/<key> condition evaluation
+func tagsToEntry(tags map[string]string) map[string][]byte {
+	if tags == nil {
+		return nil
+	}
+	entry := make(map[string][]byte)
+	for k, v := range tags {
+		entry[s3_constants.AmzObjectTaggingPrefix+k] = []byte(v)
+	}
+	return entry
+}
+
 func TestPolicyEngine(t *testing.T) {
 	engine := NewPolicyEngine()
 
@@ -714,3 +728,233 @@ type MockLegacyIAM struct{}
 func (m *MockLegacyIAM) authRequest(r *http.Request, action Action) (Identity, s3err.ErrorCode) {
 	return nil, s3err.ErrNone
 }
+
+// TestExistingObjectTagCondition tests s3:ExistingObjectTag/<tag-key> condition support
+func TestExistingObjectTagCondition(t *testing.T) {
+	engine := NewPolicyEngine()
+
+	// Policy that allows GetObject only for objects with specific tag
+	policyJSON := `{
+		"Version": "2012-10-17",
+		"Statement": [
+			{
+				"Effect": "Allow",
+				"Principal": "*",
+				"Action": "s3:GetObject",
+				"Resource": "arn:aws:s3:::test-bucket/*",
+				"Condition": {
+					"StringEquals": {
+						"s3:ExistingObjectTag/status": ["public"]
+					}
+				}
+			}
+		]
+	}`
+
+	err := engine.SetBucketPolicy("test-bucket", policyJSON)
+	if err != nil {
+		t.Fatalf("Failed to set bucket policy: %v", err)
+	}
+
+	tests := []struct {
+		name       string
+		objectTags map[string]string
+		expected   PolicyEvaluationResult
+	}{
+		{
+			name:       "Matching tag value - should allow",
+			objectTags: map[string]string{"status": "public"},
+			expected:   PolicyResultAllow,
+		},
+		{
+			name:       "Non-matching tag value - should be indeterminate",
+			objectTags: map[string]string{"status": "private"},
+			expected:   PolicyResultIndeterminate,
+		},
+		{
+			name:       "Missing tag - should be indeterminate",
+			objectTags: map[string]string{"other": "value"},
+			expected:   PolicyResultIndeterminate,
+		},
+		{
+			name:       "No tags - should be indeterminate",
+			objectTags: nil,
+			expected:   PolicyResultIndeterminate,
+		},
+		{
+			name:       "Empty tags - should be indeterminate",
+			objectTags: map[string]string{},
+			expected:   PolicyResultIndeterminate,
+		},
+		{
+			name:       "Multiple tags with matching one - should allow",
+			objectTags: map[string]string{"status": "public", "owner": "admin"},
+			expected:   PolicyResultAllow,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			args := &PolicyEvaluationArgs{
+				Action:      "s3:GetObject",
+				Resource:   "arn:aws:s3:::test-bucket/test-object",
+				Principal:  "*",
+				ObjectEntry: tagsToEntry(tt.objectTags),
+			}
+
+			result := engine.EvaluatePolicy("test-bucket", args)
+			if result != tt.expected {
+				t.Errorf("Expected %v, got %v", tt.expected, result)
+			}
+		})
+	}
+}
+
+// TestExistingObjectTagConditionMultipleTags tests policies with multiple tag conditions
+func TestExistingObjectTagConditionMultipleTags(t *testing.T) {
+	engine := NewPolicyEngine()
+
+	// Policy that requires multiple tag conditions
+	policyJSON := `{
+		"Version": "2012-10-17",
+		"Statement": [
+			{
+				"Effect": "Allow",
+				"Principal": "*",
+				"Action": "s3:GetObject",
+				"Resource": "arn:aws:s3:::test-bucket/*",
+				"Condition": {
+					"StringEquals": {
+						"s3:ExistingObjectTag/status": ["public"],
+						"s3:ExistingObjectTag/tier": ["free", "premium"]
+					}
+				}
+			}
+		]
+	}`
+
+	err := engine.SetBucketPolicy("test-bucket", policyJSON)
+	if err != nil {
+		t.Fatalf("Failed to set bucket policy: %v", err)
+	}
+
+	tests := []struct {
+		name       string
+		objectTags map[string]string
+		expected   PolicyEvaluationResult
+	}{
+		{
+			name:       "Both tags match - should allow",
+			objectTags: map[string]string{"status": "public", "tier": "free"},
+			expected:   PolicyResultAllow,
+		},
+		{
+			name:       "Both tags match (premium tier) - should allow",
+			objectTags: map[string]string{"status": "public", "tier": "premium"},
+			expected:   PolicyResultAllow,
+		},
+		{
+			name:       "Only status matches - should be indeterminate",
+			objectTags: map[string]string{"status": "public"},
+			expected:   PolicyResultIndeterminate,
+		},
+		{
+			name:       "Only tier matches - should be indeterminate",
+			objectTags: map[string]string{"tier": "free"},
+			expected:   PolicyResultIndeterminate,
+		},
+		{
+			name:       "Neither tag matches - should be indeterminate",
+			objectTags: map[string]string{"status": "private", "tier": "basic"},
+			expected:   PolicyResultIndeterminate,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			args := &PolicyEvaluationArgs{
+				Action:      "s3:GetObject",
+				Resource:   "arn:aws:s3:::test-bucket/test-object",
+				Principal:  "*",
+				ObjectEntry: tagsToEntry(tt.objectTags),
+			}
+
+			result := engine.EvaluatePolicy("test-bucket", args)
+			if result != tt.expected {
+				t.Errorf("Expected %v, got %v", tt.expected, result)
+			}
+		})
+	}
+}
+
+// TestExistingObjectTagDenyPolicy tests deny policies with tag conditions
+func TestExistingObjectTagDenyPolicy(t *testing.T) {
+	engine := NewPolicyEngine()
+
+	// Policy that denies access to objects with confidential tag
+	policyJSON := `{
+		"Version": "2012-10-17",
+		"Statement": [
+			{
+				"Effect": "Allow",
+				"Principal": "*",
+				"Action": "s3:GetObject",
+				"Resource": "arn:aws:s3:::test-bucket/*"
+			},
+			{
+				"Effect": "Deny",
+				"Principal": "*",
+				"Action": "s3:GetObject",
+				"Resource": "arn:aws:s3:::test-bucket/*",
+				"Condition": {
+					"StringEquals": {
+						"s3:ExistingObjectTag/classification": ["confidential"]
+					}
+				}
+			}
+		]
+	}`
+
+	err := engine.SetBucketPolicy("test-bucket", policyJSON)
+	if err != nil {
+		t.Fatalf("Failed to set bucket policy: %v", err)
+	}
+
+	tests := []struct {
+		name       string
+		objectTags map[string]string
+		expected   PolicyEvaluationResult
+	}{
+		{
+			name:       "No tags - allow by default statement",
+			objectTags: nil,
+			expected:   PolicyResultAllow,
+		},
+		{
+			name:       "Non-confidential tag - allow",
+			objectTags: map[string]string{"classification": "public"},
+			expected:   PolicyResultAllow,
+		},
+		{
+			name:       "Confidential tag - deny",
+			objectTags: map[string]string{"classification": "confidential"},
+			expected:   PolicyResultDeny,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			args := &PolicyEvaluationArgs{
+				Action:      "s3:GetObject",
+				Resource:   "arn:aws:s3:::test-bucket/test-object",
+				Principal:  "*",
+				ObjectEntry: tagsToEntry(tt.objectTags),
+			}
+
+			result := engine.EvaluatePolicy("test-bucket", args)
+			if result != tt.expected {
+				t.Errorf("Expected %v, got %v", tt.expected, result)
+			}
+		})
+	}
+}