security fixes

BUCKET_POLICY_ENGINE_INTEGRATION.md

@@ -53,9 +53,9 @@ Created a wrapper around `policy_engine.PolicyEngine` to:
 3. Build principal ARN (e.g., "arn:aws:iam::123456:user/bob")
 4. Check bucket policy:
    - If DENY → reject immediately
-   - If ALLOW → continue to step 5
-   - If no policy → continue to step 5
-5. Check IAM/identity-based permissions
+   - If ALLOW → grant access immediately (bypasses IAM checks)
+   - If no policy or no matching statements → continue to step 5
+5. Check IAM/identity-based permissions (only if not already allowed by bucket policy)
 6. Allow or deny based on identity permissions
 ```
 

weed/s3api/auth_credentials.go

@@ -519,7 +519,7 @@ func (iam *IdentityAccessManagement) authRequest(r *http.Request, action Action)
 				// SECURITY: Fail-close on policy evaluation errors
 				// If we can't evaluate the policy, deny access rather than falling through to IAM
 				glog.Errorf("Error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err)
-				return identity, s3err.ErrInternalError
+				return identity, s3err.ErrAccessDenied
 			} else if evaluated {
 				// A bucket policy exists and was evaluated with a matching statement
 				if allowed {

weed/s3api/s3api_bucket_handlers.go

@@ -615,7 +615,7 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
 				// SECURITY: Fail-close on policy evaluation errors
 				// If we can't evaluate the policy, deny access rather than falling through to IAM
 				glog.Errorf("AuthWithPublicRead: error evaluating bucket policy for %s/%s: %v - denying access", bucket, object, err)
-				s3err.WriteErrorResponse(w, r, s3err.ErrInternalError)
+				s3err.WriteErrorResponse(w, r, s3err.ErrAccessDenied)
 				return
 			} else if evaluated {
 				// A bucket policy exists and was evaluated with a matching statement