Files
Chris Lu 5797fb24ec s3: support AWS object form for bucket policy Principal, add NotPrincipal (#10125)
* s3: support AWS object form for bucket policy Principal, add NotPrincipal

Bucket policy statements only accepted a bare string or array of strings for
the Principal element, so the AWS-documented object form was rejected:

    "Principal": { "AWS": "arn:aws:iam::123456789012:root" }
    "Principal": { "AWS": ["arn:...", "999999999999"] }

Add a PolicyPrincipal type that parses the bare string, the bare array
(retained for backward compatibility), and the object form keyed by AWS,
Service, Federated or CanonicalUser (each value a string or array). All keyed
values are flattened for principal matching, and the original JSON is preserved
so PutBucketPolicy/GetBucketPolicy returns the exact shape submitted - keeping
infrastructure-as-code tools (Terraform, Ansible) idempotent.

Also add NotPrincipal support (a statement applies to every principal except the
ones named), compiled and evaluated in both policy evaluators, and reject
statements that specify both Principal and NotPrincipal.

* s3: address review - validate principal object form, honor dynamic NotPrincipal

- Reject unsupported Principal object keys (only AWS/Service/Federated/
  CanonicalUser) and empty values, so a form like {"AWS":[]} no longer compiles
  to zero matchers and silently relies on the match-all fallback.
- Detect both Principal and NotPrincipal by field presence, not by flattened
  length, so a present-but-empty field is still rejected.
- Honor dynamic (policy-variable) NotPrincipal/Principal patterns in the
  compiled evaluator; previously a NotPrincipal made only of variables was
  treated as absent and its exclusion bypassed.
- Add regression tests for the object-form validation and dynamic NotPrincipal.
2026-06-27 22:36:26 -07:00
..
2026-02-20 18:42:00 -08:00