Implement managed policy storage (#8385)

* Persist managed IAM policies

* Add IAM list/get policy integration test

* Faster marker lookup and cleanup

* Handle delete conflict and improve listing

* Add delete-in-use policy integration test

* Stabilize policy ID and guard path prefix

* Tighten CreatePolicy guard and reload

* Add ListPolicyNames to credential store

weed/s3api/s3api_embedded_iam_test.go

@@ -518,6 +518,37 @@ func TestEmbeddedIamDetachUserPolicy(t *testing.T) {
 	assert.Equal(t, []string{"KeepPolicy"}, api.mockConfig.Identities[0].PolicyNames)
 }
 
+// TestEmbeddedIamDeletePolicyInUse ensures deleting a policy that is still attached returns conflict.
+func TestEmbeddedIamDeletePolicyInUse(t *testing.T) {
+	api := NewEmbeddedIamApiForTest()
+	api.mockConfig = &iam_pb.S3ApiConfiguration{
+		Identities: []*iam_pb.Identity{
+			{Name: "TestUser", PolicyNames: []string{"TestPolicy"}},
+		},
+		Policies: []*iam_pb.Policy{
+			{Name: "TestPolicy", Content: `{"Version":"2012-10-17","Statement":[]}`},
+		},
+	}
+
+	params := &iam.DeletePolicyInput{
+		PolicyArn: aws.String("arn:aws:iam:::policy/TestPolicy"),
+	}
+	req, _ := iam.New(session.New()).DeletePolicyRequest(params)
+	_ = req.Build()
+
+	response, err := executeEmbeddedIamRequest(api, req.HTTPRequest, nil)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusConflict, response.Code)
+	code, _ := extractEmbeddedIamErrorCodeAndMessage(response)
+	assert.Equal(t, iam.ErrCodeDeleteConflictException, code)
+
+	assert.Len(t, api.mockConfig.Policies, 1)
+	assert.Equal(t, "TestPolicy", api.mockConfig.Policies[0].Name)
+	assert.Len(t, api.mockConfig.Identities, 1)
+	assert.Equal(t, "TestUser", api.mockConfig.Identities[0].Name)
+	assert.Contains(t, api.mockConfig.Identities[0].PolicyNames, "TestPolicy")
+}
+
 // TestEmbeddedIamAttachAlreadyAttachedPolicy ensures attaching a policy already
 // present on the user is idempotent.
 func TestEmbeddedIamAttachAlreadyAttachedPolicy(t *testing.T) {