S3: Enforce bucket policy (#7471)

* evaluate policies during authorization

* cache bucket policy

* refactor

* matching with regex special characters

* Case Sensitivity, pattern cache, Dead Code Removal

* Fixed Typo, Restored []string Case, Added Cache Size Limit

* hook up with policy engine

* remove old implementation

* action mapping

* validate

* if not specified, fall through to IAM checks

* fmt

* Fail-close on policy evaluation errors

* Explicit `Allow` bypasses IAM checks

* fix error message

* arn:seaweed => arn:aws

* remove legacy support

* fix tests

* Clean up bucket policy after this test

* fix for tests

* address comments

* security fixes

* fix tests

* temp comment out

weed/s3api/s3_iam_middleware.go

@@ -139,7 +139,7 @@ func (s3iam *S3IAMIntegration) AuthenticateJWT(ctx context.Context, r *http.Requ
 			parts := strings.Split(roleName, "/")
 			roleNameOnly = parts[len(parts)-1]
 		}
-		principalArn = fmt.Sprintf("arn:seaweed:sts::assumed-role/%s/%s", roleNameOnly, sessionName)
+		principalArn = fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleNameOnly, sessionName)
 	}
 
 	// Validate the JWT token directly using STS service (avoid circular dependency)
@@ -238,11 +238,11 @@ type MockAssumedRoleUser struct {
 // buildS3ResourceArn builds an S3 resource ARN from bucket and object
 func buildS3ResourceArn(bucket string, objectKey string) string {
 	if bucket == "" {
-		return "arn:seaweed:s3:::*"
+		return "arn:aws:s3:::*"
 	}
 
 	if objectKey == "" || objectKey == "/" {
-		return "arn:seaweed:s3:::" + bucket
+		return "arn:aws:s3:::" + bucket
 	}
 
 	// Remove leading slash from object key if present
@@ -250,7 +250,7 @@ func buildS3ResourceArn(bucket string, objectKey string) string {
 		objectKey = objectKey[1:]
 	}
 
-	return "arn:seaweed:s3:::" + bucket + "/" + objectKey
+	return "arn:aws:s3:::" + bucket + "/" + objectKey
 }
 
 // determineGranularS3Action determines the specific S3 IAM action based on HTTP request details