From 34fd1e909e6689799ded386551986bce925cc6bf Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Wed, 12 Nov 2025 22:20:29 -0800
Subject: [PATCH] refactor to avoids circular dependency

---
 weed/s3api/auth_credentials.go |  8 ++++----
 weed/s3api/s3api_server.go     | 14 ++++++++------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/weed/s3api/auth_credentials.go b/weed/s3api/auth_credentials.go
index 7a6a706ff..85002377b 100644
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -54,8 +54,8 @@ type IdentityAccessManagement struct {
 	// IAM Integration for advanced features
 	iamIntegration *S3IAMIntegration
 	
-	// Link to S3ApiServer for bucket policy evaluation
-	s3ApiServer *S3ApiServer
+	// Bucket policy engine for evaluating bucket policies
+	policyEngine *BucketPolicyEngine
 }
 
 type Identity struct {
@@ -511,9 +511,9 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 		// - Explicit DENY in bucket policy → immediate rejection
 		// - Explicit ALLOW in bucket policy → grant access (bypass IAM checks)
 		// - No policy or indeterminate → fall through to IAM checks
-		if iam.s3ApiServer != nil && iam.s3ApiServer.policyEngine != nil && bucket != "" {
+		if iam.policyEngine != nil && bucket != "" {
 			principal := buildPrincipalARN(identity)
-			allowed, evaluated, err := iam.s3ApiServer.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
+			allowed, evaluated, err := iam.policyEngine.EvaluatePolicy(bucket, object, string(action), principal)
 			
 			if err != nil {
 				// SECURITY: Fail-close on policy evaluation errors
diff --git a/weed/s3api/s3api_server.go b/weed/s3api/s3api_server.go
index 5a06be720..053d4f56a 100644
--- a/weed/s3api/s3api_server.go
+++ b/weed/s3api/s3api_server.go
@@ -86,10 +86,11 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
 		option.AllowedOrigins = domains
 	}
 
-	var iam *IdentityAccessManagement
-
-	iam = NewIdentityAccessManagementWithStore(option, explicitStore)
+	iam := NewIdentityAccessManagementWithStore(option, explicitStore)
 
+	// Initialize bucket policy engine first
+	policyEngine := NewBucketPolicyEngine()
+	
 	s3ApiServer = &S3ApiServer{
 		option:            option,
 		iam:               iam,
@@ -98,11 +99,12 @@ func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, expl
 		cb:                NewCircuitBreaker(option),
 		credentialManager: iam.credentialManager,
 		bucketConfigCache: NewBucketConfigCache(60 * time.Minute), // Increased TTL since cache is now event-driven
-		policyEngine:      NewBucketPolicyEngine(),                // Initialize bucket policy engine
+		policyEngine:      policyEngine,                           // Initialize bucket policy engine
 	}
 
-	// Link IAM back to server for bucket policy evaluation
-	iam.s3ApiServer = s3ApiServer
+	// Pass policy engine to IAM for bucket policy evaluation
+	// This avoids circular dependency by not passing the entire S3ApiServer
+	iam.policyEngine = policyEngine
 
 	// Initialize advanced IAM system if config is provided
 	if option.IamConfig != "" {