Fix trust policy validation for specific AWS user principals (#8597)

* Add tests for AWS user principal in AssumeRole trust policies

Add test cases that verify trust policy validation when using specific
AWS user principals (e.g., "arn:aws:iam::000000000000:user/backend")
in the Principal field of trust policies for AssumeRole.

Covers single user, multiple users (array), wildcard, and plain string
principal formats. These tests demonstrate the bug reported in #8588
where specific user principals always fail validation.

* Populate RequestContext in ValidateTrustPolicyForPrincipal

ValidateTrustPolicyForPrincipal was creating an EvaluationContext with
a nil RequestContext. The policy engine's principal matching logic looks
up "aws:PrincipalArn" in RequestContext for non-wildcard principals,
so specific user ARNs like "arn:aws:iam::000000000000:user/backend"
always failed to match, while wildcard "*" worked because it
short-circuits before the lookup.

Populate RequestContext with both "principal" and "aws:PrincipalArn"
keys, consistent with how IsActionAllowed already does it.

Fixes #8588

* Remove GitHub discussion URL from source code comments

* Add specific error message assertions in trust policy tests

weed/iam/integration/iam_manager_trust.go

@@ -27,11 +27,18 @@ func (m *IAMManager) ValidateTrustPolicyForPrincipal(ctx context.Context, roleAr
 		return fmt.Errorf("role has no trust policy")
 	}
 
-	// Create evaluation context
+	// Create evaluation context with RequestContext populated so that
+	// principal matching works for specific (non-wildcard) principals.
+	// Without this, evaluatePrincipalValue cannot look up "aws:PrincipalArn"
+	// and always returns false for non-wildcard trust policy principals.
 	evalCtx := &policy.EvaluationContext{
 		Principal: principalArn,
 		Action:    "sts:AssumeRole",
 		Resource:  roleArn,
+		RequestContext: map[string]interface{}{
+			"principal":        principalArn,
+			"aws:PrincipalArn": principalArn,
+		},
 	}
 
 	// Evaluate the trust policy