fix: evaluate BypassGov policy action in deletion correctly

[vadmeste]

Description

This policy allows bypassing governance for deletion,
though s3:BypassGovernanceRetention is explicitly denied.

{
    "Version": "2012-10-17",
    "Statement": [
      { "Effect": "Deny", "Action": ["s3:BypassGovernanceRetention"],
"Resource": ["arn:aws:s3:::*"] },
      { "Effect": "Allow", "Action": ["s3:*"], "Resource":
["arn:aws:s3:::*"] }
    ]
}

Fix the related code and avoid allowing s3:GetBucketObjectLockConfigurationAction
to remove an object locked with governance.

Found by @wdinyes

Motivation and Context

Disallow removal of governance protected with the policy above

How to test this PR?

1. Create a bucket with lock enabled with default governance locking
2. Create a regular user associated to the policy above
3. Upload a version and try to remove it

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Optimization (provides speedup with no functional changes)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Fixes a regression (If yes, please add commit-id or PR # here)
• Unit tests added/updated
• Internal documentation updated
• Create a documentation update request here

[minio-trusted]

Mint Automation

Test	Result
mint-erasure.sh	✔️
mint-pools.sh	✔️
mint-compress-encrypt-dist-erasure.sh	❌ more...

16635-c2c7d04/mint-compress-encrypt-dist-erasure.sh.log:

Running with
SERVER_ENDPOINT:      15.15.15.3:32497
ACCESS_KEY:           minio
SECRET_KEY:           ***REDACTED***
ENABLE_HTTPS:         0
SERVER_REGION:        us-east-1
MINT_DATA_DIR:        /mint/data
MINT_MODE:            full
ENABLE_VIRTUAL_STYLE: 0
RUN_ON_FAIL:          0

To get logs, run 'docker cp bbaa48d224cd:/mint/log /tmp/mint-logs'

(1/14) Running aws-sdk-go tests ... done in 9 seconds
(2/14) Running aws-sdk-java tests ... done in 1 seconds
(3/14) Running aws-sdk-php tests ... done in 42 seconds
(4/14) Running aws-sdk-ruby tests ... done in 7 seconds
(5/14) Running awscli tests ... FAILED in 5 minutes and 51 seconds
{"name": "awscli", "duration": 305186, "function": "make_bucket\n", "status": "FAIL", "error": "Connect timeout on endpoint URL: "http://15.15.15.3:32497/awscli-mint-test-bucket-15583""}
(5/14) Running healthcheck tests ... FAILED in 30 seconds
{
  "alert": "",
  "args": null,
  "duration": 30029,
  "error": "Get \"http://15.15.15.3:32497/minio/health/live\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)",
  "function": "testLivenessEndpoint",
  "message": "GET request failed",
  "name": "healthcheck",
  "status": "FAIL"
}
(5/14) Running mc tests ... FAILED in 21 seconds
{
  "alert": "",
  "args": null,
  "duration": 30029,
  "error": "Get \"http://15.15.15.3:32497/minio/health/live\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)",
  "function": "testLivenessEndpoint",
  "message": "GET request failed",
  "name": "healthcheck",
  "status": "FAIL"
}
(5/14) Running minio-go tests ... done in 1 minutes and 49 seconds
(6/14) Running minio-java tests ... done in 31 seconds
(7/14) Running minio-js tests ... done in 51 seconds
(8/14) Running minio-py tests ... done in 2 minutes and 35 seconds
(9/14) Running s3cmd tests ... done in 16 seconds
(10/14) Running s3select tests ... done in 4 seconds
(11/14) Running versioning tests ... done in 3 minutes and 18 seconds

Executed 11 out of 14 tests successfully.

Deleting image on docker hub
Deleting image locally

[harshavardhana]

Can you try Deny GetObjectLockConfiguration and test the same policy?