Refactor data structure (#7472)

* refactor to avoids circular dependency

* converts a policy.PolicyDocument to policy_engine.PolicyDocument

* convert numeric types to strings

* Update weed/s3api/policy_conversion.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* refactoring

* not skipping numeric and boolean values in arrays

* avoid nil

* edge cases

* handling conversion failure

The handling of unsupported types in convertToString could lead to silent policy alterations.
The conversion of map-based principals in convertPrincipal is too generic and could misinterpret policies.

* concise

* fix doc

* adjust warning

* recursion

* return errors

* reject empty principals

* better error message

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

weed/s3api/auth_credentials.go

@@ -54,8 +54,8 @@ type IdentityAccessManagement struct {
 	// IAM Integration for advanced features
 	iamIntegration *S3IAMIntegration
 	
-	// Link to S3ApiServer for bucket policy evaluation
-	s3ApiServer *S3ApiServer
+	// Bucket policy engine for evaluating bucket policies
+	policyEngine *BucketPolicyEngine
 }
 
 type Identity struct {
@@ -511,9 +511,9 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 		// - Explicit DENY in bucket policy → immediate rejection
 		// - Explicit ALLOW in bucket policy → grant access (bypass IAM checks)
 		// - No policy or indeterminate → fall through to IAM checks
-		if iam.s3ApiServer != nil && iam.s3ApiServer.policyEngine != nil && bucket != "" {
+		if iam.policyEngine != nil && bucket != "" {
 			principal := buildPrincipalARN(identity)
-			allowed, evaluated, err := iam.s3ApiServer.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
+			allowed, evaluated, err := iam.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
 			
 			if err != nil {
 				// SECURITY: Fail-close on policy evaluation errors