s3api: add s3:GetObjectAttributes IAM action for ?attributes query

Previously, GET /{object}?attributes resolved to s3:GetObject via the
fallback path since resolveFromQueryParameters had no case for the
"attributes" query parameter.

Add S3_ACTION_GET_OBJECT_ATTRIBUTES constant ("s3:GetObjectAttributes")
and a branch in resolveFromQueryParameters to return it for GET requests
with the "attributes" query parameter, so IAM policies can distinguish
GetObjectAttributes from GetObject.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

weed/s3api/s3_action_resolver.go

@@ -196,6 +196,11 @@ func resolveFromQueryParameters(query url.Values, method string, hasObject bool)
 		return s3_constants.S3_ACTION_GET_BUCKET_LOCATION
 	}
 
+	// GetObjectAttributes (object-level only)
+	if hasObject && query.Has("attributes") && method == http.MethodGet {
+		return s3_constants.S3_ACTION_GET_OBJECT_ATTRIBUTES
+	}
+
 	// Object retention and legal hold operations (object-level only)
 	if hasObject {
 		if query.Has("retention") {

weed/s3api/s3_constants/s3_action_strings.go

@@ -8,7 +8,8 @@ const (
 	S3_ACTION_PUT_OBJECT            = "s3:PutObject"
 	S3_ACTION_DELETE_OBJECT         = "s3:DeleteObject"
 	S3_ACTION_DELETE_OBJECT_VERSION = "s3:DeleteObjectVersion"
-	S3_ACTION_GET_OBJECT_VERSION    = "s3:GetObjectVersion"
+	S3_ACTION_GET_OBJECT_VERSION     = "s3:GetObjectVersion"
+	S3_ACTION_GET_OBJECT_ATTRIBUTES = "s3:GetObjectAttributes"
 
 	// Object ACL operations
 	S3_ACTION_GET_OBJECT_ACL = "s3:GetObjectAcl"