feat: policy add object tag

[GatewayJ]

Type of Change

• New Feature
• Bug Fix
• Documentation
• Performance Improvement
• Test/CI
• Refactor
• Other:

Related Issues

Summary of Changes

#1874 (comment)

Checklist

• I have read and followed the CONTRIBUTING.md guidelines
• Passed make pre-commit
• Added/updated necessary tests
• Documentation updated (if needed)
• CI/CD passed (if applicable)

Impact

• Breaking change (compatibility)
• Requires doc/config/deployment update
• Other impact:

Additional Notes

---

Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.

[Copilot]

Pull request overview

This PR adds support for tag-based bucket policy conditions (specifically s3:ExistingObjectTag/<tag-key>) to enable per-object access control through bucket policies. This addresses issue #1874, which requested the ability to allow anonymous public access to specific objects in a bucket while keeping others private, based on object tags.

Changes:

• Added get_object_tag_conditions_for_policy method to fetch and format object tags as policy condition values
• Introduced ObjectTagConditions struct to pass tag conditions through the authorization flow
• Integrated object tag condition evaluation into GetObject, HeadObject, and GetObjectAttributes authorization checks

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
rustfs/src/storage/ecfs.rs	Added method to fetch object tags and format them as ExistingObjectTag conditions for policy evaluation
rustfs/src/storage/access.rs	Added ObjectTagConditions struct and integrated tag condition fetching into authorization flow for GetObject, HeadObject, and GetObjectAttributes operations

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

rustfs/src/storage/access.rs:610

• In copy_object, after authorizing GetObject on the source with source object tags, the same ObjectTagConditions remain in req.extensions when authorizing PutObject on the destination. This means the destination PutObject authorization will incorrectly use the source object's tags in its policy conditions instead of no tags (since the destination doesn't exist yet) or the destination's tags (if copying to an existing object). Consider removing or replacing the tag conditions before the second authorization, or fetch destination tags if the destination object exists.

            let tag_conds = self
                .fetch_tag_conditions(&src_bucket, &src_key, version_id.as_deref(), "copy_object_src")
                .await?;
            req.extensions.insert(tag_conds);

            authorize_request(req, Action::S3Action(S3Action::GetObjectAction)).await?;
        }

        let req_info = req.extensions.get_mut::<ReqInfo>().expect("ReqInfo not found");

        req_info.bucket = Some(req.input.bucket.clone());
        req_info.object = Some(req.input.key.clone());
        req_info.version_id = req.input.version_id.clone();

        authorize_request(req, Action::S3Action(S3Action::PutObjectAction)).await