Enhance policy handling to support SSE and WORM (#5790)

- remove old bucket policy handling
- add new policy handling
- add new policy handling unit tests

This patch brings support to bucket policy to have more control not
limiting to anonymous.  Bucket owner controls to allow/deny any rest
API.

For example server side encryption can be controlled by allowing
PUT/GET objects with encryptions including bucket owner.

cmd/gateway/s3/gateway-s3.go

@@ -20,14 +20,15 @@ import (
 	"context"
 	"encoding/json"
 	"io"
+	"strings"
 
 	"github.com/minio/cli"
 	miniogo "github.com/minio/minio-go"
-	"github.com/minio/minio-go/pkg/policy"
 	"github.com/minio/minio-go/pkg/s3utils"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/auth"
 	"github.com/minio/minio/pkg/hash"
+	"github.com/minio/minio/pkg/policy"
 
 	minio "github.com/minio/minio/cmd"
 )
@@ -428,31 +429,32 @@ func (l *s3Objects) CompleteMultipartUpload(ctx context.Context, bucket string,
 }
 
 // SetBucketPolicy sets policy on bucket
-func (l *s3Objects) SetBucketPolicy(ctx context.Context, bucket string, policyInfo policy.BucketAccessPolicy) error {
-	data, err := json.Marshal(&policyInfo)
+func (l *s3Objects) SetBucketPolicy(ctx context.Context, bucket string, bucketPolicy *policy.Policy) error {
+	data, err := json.Marshal(bucketPolicy)
 	if err != nil {
-		return err
+		// This should not happen.
+		logger.LogIf(ctx, err)
+		return minio.ErrorRespToObjectError(err, bucket)
 	}
+
 	if err := l.Client.SetBucketPolicy(bucket, string(data)); err != nil {
 		logger.LogIf(ctx, err)
-		return minio.ErrorRespToObjectError(err, bucket, "")
+		return minio.ErrorRespToObjectError(err, bucket)
 	}
 
 	return nil
 }
 
 // GetBucketPolicy will get policy on bucket
-func (l *s3Objects) GetBucketPolicy(ctx context.Context, bucket string) (policy.BucketAccessPolicy, error) {
+func (l *s3Objects) GetBucketPolicy(ctx context.Context, bucket string) (*policy.Policy, error) {
 	data, err := l.Client.GetBucketPolicy(bucket)
 	if err != nil {
 		logger.LogIf(ctx, err)
-		return policy.BucketAccessPolicy{}, minio.ErrorRespToObjectError(err, bucket, "")
+		return nil, minio.ErrorRespToObjectError(err, bucket)
 	}
-	var policyInfo policy.BucketAccessPolicy
-	if err = json.Unmarshal([]byte(data), &policyInfo); err != nil {
-		return policyInfo, err
-	}
-	return policyInfo, nil
+
+	bucketPolicy, err := policy.ParseConfig(strings.NewReader(data), bucket)
+	return bucketPolicy, minio.ErrorRespToObjectError(err, bucket)
 }
 
 // DeleteBucketPolicy deletes all policies on bucket

cmd/gateway/s3/gateway-s3_test.go

@@ -52,7 +52,7 @@ func TestS3ToObjectError(t *testing.T) {
 		},
 		{
 			inputErr:    errResponse("NoSuchBucketPolicy"),
-			expectedErr: minio.PolicyNotFound{},
+			expectedErr: minio.BucketPolicyNotFound{},
 		},
 		{
 			inputErr:    errResponse("NoSuchBucket"),