Refactor data structure (#7472)

* refactor to avoids circular dependency * converts a policy.PolicyDocument to policy_engine.PolicyDocument * convert numeric types to strings * Update weed/s3api/policy_conversion.go Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * refactoring * not skipping numeric and boolean values in arrays * avoid nil * edge cases * handling conversion failure The handling of unsupported types in convertToString could lead to silent policy alterations. The conversion of map-based principals in convertPrincipal is too generic and could misinterpret policies. * concise * fix doc * adjust warning * recursion * return errors * reject empty principals * better error message --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2025-11-12 23:46:52 -08:00
parent 508d06d9a5
commit 2a9d4d1e23
5 changed files with 877 additions and 19 deletions
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -86,10 +86,11 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
 		option.AllowedOrigins = domains
 	}

-	var iam *IdentityAccessManagement
-
-	iam = NewIdentityAccessManagementWithStore(option, explicitStore)
+	iam := NewIdentityAccessManagementWithStore(option, explicitStore)

+	// Initialize bucket policy engine first
+	policyEngine := NewBucketPolicyEngine()
+	
 	s3ApiServer = &S3ApiServer{
 		option:            option,
 		iam:               iam,
@@ -98,11 +99,12 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
 		cb:                NewCircuitBreaker(option),
 		credentialManager: iam.credentialManager,
 		bucketConfigCache: NewBucketConfigCache(60 * time.Minute), // Increased TTL since cache is now event-driven
-		policyEngine:      NewBucketPolicyEngine(),                // Initialize bucket policy engine
+		policyEngine:      policyEngine,                           // Initialize bucket policy engine
 	}

-	// Link IAM back to server for bucket policy evaluation
-	iam.s3ApiServer = s3ApiServer
+	// Pass policy engine to IAM for bucket policy evaluation
+	// This avoids circular dependency by not passing the entire S3ApiServer
+	iam.policyEngine = policyEngine

 	// Initialize advanced IAM system if config is provided
 	if option.IamConfig != "" {