S3: Enforce bucket policy (#7471)

* evaluate policies during authorization

* cache bucket policy

* refactor

* matching with regex special characters

* Case Sensitivity, pattern cache, Dead Code Removal

* Fixed Typo, Restored []string Case, Added Cache Size Limit

* hook up with policy engine

* remove old implementation

* action mapping

* validate

* if not specified, fall through to IAM checks

* fmt

* Fail-close on policy evaluation errors

* Explicit `Allow` bypasses IAM checks

* fix error message

* arn:seaweed => arn:aws

* remove legacy support

* fix tests

* Clean up bucket policy after this test

* fix for tests

* address comments

* security fixes

* fix tests

* temp comment out

weed/iam/oidc/oidc_provider_test.go

@@ -210,15 +210,15 @@ func TestOIDCProviderAuthentication(t *testing.T) {
 				{
 					Claim: "email",
 					Value: "*@example.com",
-					Role:  "arn:seaweed:iam::role/UserRole",
+					Role:  "arn:aws:iam::role/UserRole",
 				},
 				{
 					Claim: "groups",
 					Value: "admins",
-					Role:  "arn:seaweed:iam::role/AdminRole",
+					Role:  "arn:aws:iam::role/AdminRole",
 				},
 			},
-			DefaultRole: "arn:seaweed:iam::role/GuestRole",
+			DefaultRole: "arn:aws:iam::role/GuestRole",
 		},
 	}