S3: Enforce bucket policy (#7471)

* evaluate policies during authorization

* cache bucket policy

* refactor

* matching with regex special characters

* Case Sensitivity, pattern cache, Dead Code Removal

* Fixed Typo, Restored []string Case, Added Cache Size Limit

* hook up with policy engine

* remove old implementation

* action mapping

* validate

* if not specified, fall through to IAM checks

* fmt

* Fail-close on policy evaluation errors

* Explicit `Allow` bypasses IAM checks

* fix error message

* arn:seaweed => arn:aws

* remove legacy support

* fix tests

* Clean up bucket policy after this test

* fix for tests

* address comments

* security fixes

* fix tests

* temp comment out

weed/iam/sts/token_utils.go

@@ -207,11 +207,11 @@ func GenerateSessionId() (string, error) {
 // generateAssumedRoleArn generates the ARN for an assumed role user
 func GenerateAssumedRoleArn(roleArn, sessionName string) string {
 	// Convert role ARN to assumed role user ARN
-	// arn:seaweed:iam::role/RoleName -> arn:seaweed:sts::assumed-role/RoleName/SessionName
+	// arn:aws:iam::role/RoleName -> arn:aws:sts::assumed-role/RoleName/SessionName
 	roleName := utils.ExtractRoleNameFromArn(roleArn)
 	if roleName == "" {
 		// This should not happen if validation is done properly upstream
-		return fmt.Sprintf("arn:seaweed:sts::assumed-role/INVALID-ARN/%s", sessionName)
+		return fmt.Sprintf("arn:aws:sts::assumed-role/INVALID-ARN/%s", sessionName)
 	}
-	return fmt.Sprintf("arn:seaweed:sts::assumed-role/%s/%s", roleName, sessionName)
+	return fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleName, sessionName)
 }