S3: Enforce bucket policy (#7471)

* evaluate policies during authorization

* cache bucket policy

* refactor

* matching with regex special characters

* Case Sensitivity, pattern cache, Dead Code Removal

* Fixed Typo, Restored []string Case, Added Cache Size Limit

* hook up with policy engine

* remove old implementation

* action mapping

* validate

* if not specified, fall through to IAM checks

* fmt

* Fail-close on policy evaluation errors

* Explicit `Allow` bypasses IAM checks

* fix error message

* arn:seaweed => arn:aws

* remove legacy support

* fix tests

* Clean up bucket policy after this test

* fix for tests

* address comments

* security fixes

* fix tests

* temp comment out

weed/s3api/s3api_bucket_policy_handlers.go

@@ -275,14 +275,10 @@ func (s3a *S3ApiServer) validateBucketPolicy(policyDoc *policy.PolicyDocument, b
 // validateResourceForBucket checks if a resource ARN is valid for the given bucket
 func (s3a *S3ApiServer) validateResourceForBucket(resource, bucket string) bool {
 	// Accepted formats for S3 bucket policies:
-	// AWS-style ARNs:
+	// AWS-style ARNs (standard):
 	//   arn:aws:s3:::bucket-name
 	//   arn:aws:s3:::bucket-name/*
 	//   arn:aws:s3:::bucket-name/path/to/object
-	// SeaweedFS ARNs:
-	//   arn:seaweed:s3:::bucket-name
-	//   arn:seaweed:s3:::bucket-name/*
-	//   arn:seaweed:s3:::bucket-name/path/to/object
 	// Simplified formats (for convenience):
 	//   bucket-name
 	//   bucket-name/*
@@ -290,13 +286,10 @@ func (s3a *S3ApiServer) validateResourceForBucket(resource, bucket string) bool
 
 	var resourcePath string
 	const awsPrefix = "arn:aws:s3:::"
-	const seaweedPrefix = "arn:seaweed:s3:::"
 
 	// Strip the optional ARN prefix to get the resource path
 	if path, ok := strings.CutPrefix(resource, awsPrefix); ok {
 		resourcePath = path
-	} else if path, ok := strings.CutPrefix(resource, seaweedPrefix); ok {
-		resourcePath = path
 	} else {
 		resourcePath = resource
 	}