bucket: refactor policies and fix bugs related to enforcing policies. (#2766)

This patch also addresses the problem of double caching at
object layer once at XL and another at handler layer.

cmd/bucket-handlers.go

@@ -31,13 +31,25 @@ import (
 // http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
 // Enforces bucket policies for a bucket for a given tatusaction.
 func enforceBucketPolicy(bucket string, action string, reqURL *url.URL) (s3Error APIErrorCode) {
-	if !IsValidBucketName(bucket) {
-		return ErrInvalidBucketName
-	}
 	// Fetch bucket policy, if policy is not set return access denied.
-	policy := globalBucketPolicies.GetBucketPolicy(bucket)
-	if policy == nil {
-		return ErrAccessDenied
+	policy, err := readBucketPolicy(bucket, newObjectLayerFn())
+	if err != nil {
+		err = errorCause(err)
+		switch err.(type) {
+		case BucketNameInvalid:
+			// Return error for invalid bucket name.
+			return ErrInvalidBucketName
+		case BucketNotFound:
+			// For no bucket found we return NoSuchBucket instead.
+			return ErrNoSuchBucket
+		case BucketPolicyNotFound:
+			// For no bucket policy found, return AccessDenied, since
+			// anonymous requests are not allowed without bucket policies.
+			return ErrAccessDenied
+		}
+		errorIf(err, "Unable to read bucket policy.")
+		// Return internal error for any other errors so that we can investigate.
+		return ErrInternalError
 	}
 
 	// Construct resource in 'arn:aws:s3:::examplebucket/object' format.