Fix statement.IsAllowed when bucket disallowed

[vfauth]

Resolves minio/minio#20449

I also added some tests.

By the way, some existing tests seem to be duplicate of each other, can somebody understand what their use is? If not, I may remove them.
Because:

• anonGetBucketLocationArgs and getBucketLocationArgs are exactly the same
• anonPutObjectActionArgs and putObjectActionArgs are exactly the same
• anonGetObjectActionArgs and gutObjectActionArgs are exactly the same

[harshavardhana]

@donatello @vadmeste please review this carefully, as its a breaking change.

[taran-p]

Change fixes problem in mentioned issue. Doesn't break anything unexpected in my testing, so as long as the expected breaking changes are ok, it LGTM.

[harshavardhana]

Thank you @taran-p - onwards.

[harshavardhana]

This PR does actually break this test

        // 2.2 create and associate policy to user                                                                                                                                                                                            
        policy := "mypolicy-test-user-update"                                                                                                                                                                                                 
        policyBytes := []byte(fmt.Sprintf(`{                                                                                                                                                                                                  
 "Version": "2012-10-17",                                                                                                                                                                                                                     
 "Statement": [                                                                                                                                                                                                                               
  {                                                                                                                                                                                                                                           
   "Effect": "Allow",                                                                                                                                                                                                                         
   "Action": [                                                                                                                                                                                                                                
    "s3:PutObject",                                                                                                                                                                                                                           
    "s3:GetObject",                                                                                                                                                                                                                           
    "s3:ListBucket"                                                                                                                                                                                                                           
   ],                                                                                                                                                                                                                                         
   "Resource": [                                                                                                                                                                                                                              
    "arn:aws:s3:::%s/*"                                                                                                                                                                                                                       
   ]                                                                                                                                                                                                                                          
  }                                                                                                                                                                                                                                           
 ]                                                                                                                                                                                                                                            
}`, bucket))                                                                                                                                                                                                                                  
        err = s.adm.AddCannedPolicy(ctx, policy, policyBytes)                                                                                                                                                                                 
        if err != nil {                                                                                                                                                                                                                       
                c.Fatalf("policy add error: %v", err)                                                                                                                                                                                         
        }                                                                                                                                                                                                                                     
        _, err = s.adm.AttachPolicy(ctx, madmin.PolicyAssociationReq{                                                                                                                                                                         
                Policies: []string{policy},                                                                                                                                                                                                   
                User:     accessKey,                                                                                                                                                                                                          
        })                                                                                                                                                                                                                                    
        if err != nil {                                                                                                                                                                                                                       
                c.Fatalf("unable to attach policy: %v", err)                                                                                                                                                                                  
        }                                                                                                                                                                                                                                     
        // 2.3 check user has access to bucket                                                                                                                                                                                                
        c.mustListObjects(ctx, uClient, bucket)    

[harshavardhana]

This PR also breaks a policy like this where ListObjects() must work but fails

        // Create policy                                                                                                                                                                      
        policy := "mypolicy-username"                                                                                                                                                         
        policyBytes := []byte(`{                                                                                                                                                              
 "Version": "2012-10-17",                                                                                                                                                                     
 "Statement": [                                                                                                                                                                               
  {                                                                                                                                                                                           
   "Effect": "Allow",                                                                                                                                                                         
   "Action": [                                                                                                                                                                                
    "s3:*"                                                                                                                                                                                    
   ],                                                                                                                                                                                         
   "Resource": [                                                                                                                                                                              
    "arn:aws:s3:::${aws:username}-*"                                                                                                                                                          
   ]                                                                                                                                                                                          
  }                                                                                                                                                                                           
 ]                                                                                                                                                                                            
}`)    

The PR is reverted.