fix: support IAM policy handling for wildcard actions (#11530)

This PR fixes

- allow 's3:versionid` as a valid conditional for
  Get,Put,Tags,Object locking APIs
- allow additional headers missing for object APIs
- allow wildcard based action matching

pkg/iam/policy/actionset.go

@@ -43,6 +43,15 @@ func (actionSet ActionSet) Match(action Action) bool {
 		if r.Match(action) {
 			return true
 		}
+
+		// This is a special case where GetObjectVersion
+		// means GetObject is enabled implicitly.
+		switch r {
+		case GetObjectVersionAction:
+			if action == GetObjectAction {
+				return true
+			}
+		}
 	}
 
 	return false