New upstream version 2.0.2+dfsg

6 files changed, 3379 insertions, 0 deletions

diff --git a/pkg/policy/bucket-policy-condition.go b/pkg/policy/bucket-policy-condition.go
new file mode 100644
index 0000000..078bcd1
--- /dev/null
+++ b/pkg/policy/bucket-policy-condition.go
@@ -0,0 +1,115 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package policy
+
+import "github.com/minio/minio-go/pkg/set"
+
+// ConditionKeyMap - map of policy condition key and value.
+type ConditionKeyMap map[string]set.StringSet
+
+// Add - adds key and value.  The value is appended If key already exists.
+func (ckm ConditionKeyMap) Add(key string, value set.StringSet) {
+	if v, ok := ckm[key]; ok {
+		ckm[key] = v.Union(value)
+	} else {
+		ckm[key] = set.CopyStringSet(value)
+	}
+}
+
+// Remove - removes value of given key.  If key has empty after removal, the key is also removed.
+func (ckm ConditionKeyMap) Remove(key string, value set.StringSet) {
+	if v, ok := ckm[key]; ok {
+		if value != nil {
+			ckm[key] = v.Difference(value)
+		}
+
+		if ckm[key].IsEmpty() {
+			delete(ckm, key)
+		}
+	}
+}
+
+// RemoveKey - removes key and its value.
+func (ckm ConditionKeyMap) RemoveKey(key string) {
+	if _, ok := ckm[key]; ok {
+		delete(ckm, key)
+	}
+}
+
+// CopyConditionKeyMap - returns new copy of given ConditionKeyMap.
+func CopyConditionKeyMap(condKeyMap ConditionKeyMap) ConditionKeyMap {
+	out := make(ConditionKeyMap)
+
+	for k, v := range condKeyMap {
+		out[k] = set.CopyStringSet(v)
+	}
+
+	return out
+}
+
+// mergeConditionKeyMap - returns a new ConditionKeyMap which contains merged key/value of given two ConditionKeyMap.
+func mergeConditionKeyMap(condKeyMap1 ConditionKeyMap, condKeyMap2 ConditionKeyMap) ConditionKeyMap {
+	out := CopyConditionKeyMap(condKeyMap1)
+
+	for k, v := range condKeyMap2 {
+		if ev, ok := out[k]; ok {
+			out[k] = ev.Union(v)
+		} else {
+			out[k] = set.CopyStringSet(v)
+		}
+	}
+
+	return out
+}
+
+// ConditionMap - map of condition and conditional values.
+type ConditionMap map[string]ConditionKeyMap
+
+// Add - adds condition key and condition value.  The value is appended if key already exists.
+func (cond ConditionMap) Add(condKey string, condKeyMap ConditionKeyMap) {
+	if v, ok := cond[condKey]; ok {
+		cond[condKey] = mergeConditionKeyMap(v, condKeyMap)
+	} else {
+		cond[condKey] = CopyConditionKeyMap(condKeyMap)
+	}
+}
+
+// Remove - removes condition key and its value.
+func (cond ConditionMap) Remove(condKey string) {
+	if _, ok := cond[condKey]; ok {
+		delete(cond, condKey)
+	}
+}
+
+// mergeConditionMap - returns new ConditionMap which contains merged key/value of two ConditionMap.
+func mergeConditionMap(condMap1 ConditionMap, condMap2 ConditionMap) ConditionMap {
+	out := make(ConditionMap)
+
+	for k, v := range condMap1 {
+		out[k] = CopyConditionKeyMap(v)
+	}
+
+	for k, v := range condMap2 {
+		if ev, ok := out[k]; ok {
+			out[k] = mergeConditionKeyMap(ev, v)
+		} else {
+			out[k] = CopyConditionKeyMap(v)
+		}
+	}
+
+	return out
+}
diff --git a/pkg/policy/bucket-policy-condition_test.go b/pkg/policy/bucket-policy-condition_test.go
new file mode 100644
index 0000000..419868f
--- /dev/null
+++ b/pkg/policy/bucket-policy-condition_test.go
@@ -0,0 +1,289 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package policy
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/minio/minio-go/pkg/set"
+)
+
+// ConditionKeyMap.Add() is called and the result is validated.
+func TestConditionKeyMapAdd(t *testing.T) {
+	condKeyMap := make(ConditionKeyMap)
+	testCases := []struct {
+		key            string
+		value          set.StringSet
+		expectedResult string
+	}{
+		// Add new key and value.
+		{"s3:prefix", set.CreateStringSet("hello"), `{"s3:prefix":["hello"]}`},
+		// Add existing key and value.
+		{"s3:prefix", set.CreateStringSet("hello"), `{"s3:prefix":["hello"]}`},
+		// Add existing key and not value.
+		{"s3:prefix", set.CreateStringSet("world"), `{"s3:prefix":["hello","world"]}`},
+	}
+
+	for _, testCase := range testCases {
+		condKeyMap.Add(testCase.key, testCase.value)
+		if data, err := json.Marshal(condKeyMap); err != nil {
+			t.Fatalf("Unable to marshal ConditionKeyMap to JSON, %s", err)
+		} else {
+			if string(data) != testCase.expectedResult {
+				t.Fatalf("case: %+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+			}
+		}
+	}
+}
+
+// ConditionKeyMap.Remove() is called and the result is validated.
+func TestConditionKeyMapRemove(t *testing.T) {
+	condKeyMap := make(ConditionKeyMap)
+	condKeyMap.Add("s3:prefix", set.CreateStringSet("hello", "world"))
+
+	testCases := []struct {
+		key            string
+		value          set.StringSet
+		expectedResult string
+	}{
+		// Remove non-existent key and value.
+		{"s3:myprefix", set.CreateStringSet("hello"), `{"s3:prefix":["hello","world"]}`},
+		// Remove existing key and value.
+		{"s3:prefix", set.CreateStringSet("hello"), `{"s3:prefix":["world"]}`},
+		// Remove existing key to make the key also removed.
+		{"s3:prefix", set.CreateStringSet("world"), `{}`},
+	}
+
+	for _, testCase := range testCases {
+		condKeyMap.Remove(testCase.key, testCase.value)
+		if data, err := json.Marshal(condKeyMap); err != nil {
+			t.Fatalf("Unable to marshal ConditionKeyMap to JSON, %s", err)
+		} else {
+			if string(data) != testCase.expectedResult {
+				t.Fatalf("case: %+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+			}
+		}
+	}
+}
+
+// ConditionKeyMap.RemoveKey() is called and the result is validated.
+func TestConditionKeyMapRemoveKey(t *testing.T) {
+	condKeyMap := make(ConditionKeyMap)
+	condKeyMap.Add("s3:prefix", set.CreateStringSet("hello", "world"))
+
+	testCases := []struct {
+		key            string
+		expectedResult string
+	}{
+		// Remove non-existent key.
+		{"s3:myprefix", `{"s3:prefix":["hello","world"]}`},
+		// Remove existing key.
+		{"s3:prefix", `{}`},
+	}
+
+	for _, testCase := range testCases {
+		condKeyMap.RemoveKey(testCase.key)
+		if data, err := json.Marshal(condKeyMap); err != nil {
+			t.Fatalf("Unable to marshal ConditionKeyMap to JSON, %s", err)
+		} else {
+			if string(data) != testCase.expectedResult {
+				t.Fatalf("case: %+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+			}
+		}
+	}
+}
+
+// CopyConditionKeyMap() is called and the result is validated.
+func TestCopyConditionKeyMap(t *testing.T) {
+	emptyCondKeyMap := make(ConditionKeyMap)
+	nonEmptyCondKeyMap := make(ConditionKeyMap)
+	nonEmptyCondKeyMap.Add("s3:prefix", set.CreateStringSet("hello", "world"))
+
+	testCases := []struct {
+		condKeyMap     ConditionKeyMap
+		expectedResult string
+	}{
+		// To test empty ConditionKeyMap.
+		{emptyCondKeyMap, `{}`},
+		// To test non-empty ConditionKeyMap.
+		{nonEmptyCondKeyMap, `{"s3:prefix":["hello","world"]}`},
+	}
+
+	for _, testCase := range testCases {
+		condKeyMap := CopyConditionKeyMap(testCase.condKeyMap)
+		if data, err := json.Marshal(condKeyMap); err != nil {
+			t.Fatalf("Unable to marshal ConditionKeyMap to JSON, %s", err)
+		} else {
+			if string(data) != testCase.expectedResult {
+				t.Fatalf("case: %+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+			}
+		}
+	}
+}
+
+// mergeConditionKeyMap() is called and the result is validated.
+func TestMergeConditionKeyMap(t *testing.T) {
+	condKeyMap1 := make(ConditionKeyMap)
+	condKeyMap1.Add("s3:prefix", set.CreateStringSet("hello"))
+
+	condKeyMap2 := make(ConditionKeyMap)
+	condKeyMap2.Add("s3:prefix", set.CreateStringSet("world"))
+
+	condKeyMap3 := make(ConditionKeyMap)
+	condKeyMap3.Add("s3:myprefix", set.CreateStringSet("world"))
+
+	testCases := []struct {
+		condKeyMap1    ConditionKeyMap
+		condKeyMap2    ConditionKeyMap
+		expectedResult string
+	}{
+		// Both arguments are empty.
+		{make(ConditionKeyMap), make(ConditionKeyMap), `{}`},
+		// First argument is empty.
+		{make(ConditionKeyMap), condKeyMap1, `{"s3:prefix":["hello"]}`},
+		// Second argument is empty.
+		{condKeyMap1, make(ConditionKeyMap), `{"s3:prefix":["hello"]}`},
+		// Both arguments are same value.
+		{condKeyMap1, condKeyMap1, `{"s3:prefix":["hello"]}`},
+		// Value of second argument will be merged.
+		{condKeyMap1, condKeyMap2, `{"s3:prefix":["hello","world"]}`},
+		// second argument will be added.
+		{condKeyMap1, condKeyMap3, `{"s3:myprefix":["world"],"s3:prefix":["hello"]}`},
+	}
+
+	for _, testCase := range testCases {
+		condKeyMap := mergeConditionKeyMap(testCase.condKeyMap1, testCase.condKeyMap2)
+		if data, err := json.Marshal(condKeyMap); err != nil {
+			t.Fatalf("Unable to marshal ConditionKeyMap to JSON, %s", err)
+		} else {
+			if string(data) != testCase.expectedResult {
+				t.Fatalf("case: %+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+			}
+		}
+	}
+}
+
+// ConditionMap.Add() is called and the result is validated.
+func TestConditionMapAdd(t *testing.T) {
+	condMap := make(ConditionMap)
+
+	condKeyMap1 := make(ConditionKeyMap)
+	condKeyMap1.Add("s3:prefix", set.CreateStringSet("hello"))
+
+	condKeyMap2 := make(ConditionKeyMap)
+	condKeyMap2.Add("s3:prefix", set.CreateStringSet("hello", "world"))
+
+	testCases := []struct {
+		key            string
+		value          ConditionKeyMap
+		expectedResult string
+	}{
+		// Add new key and value.
+		{"StringEquals", condKeyMap1, `{"StringEquals":{"s3:prefix":["hello"]}}`},
+		// Add existing key and value.
+		{"StringEquals", condKeyMap1, `{"StringEquals":{"s3:prefix":["hello"]}}`},
+		// Add existing key and not value.
+		{"StringEquals", condKeyMap2, `{"StringEquals":{"s3:prefix":["hello","world"]}}`},
+	}
+
+	for _, testCase := range testCases {
+		condMap.Add(testCase.key, testCase.value)
+		if data, err := json.Marshal(condMap); err != nil {
+			t.Fatalf("Unable to marshal ConditionKeyMap to JSON, %s", err)
+		} else {
+			if string(data) != testCase.expectedResult {
+				t.Fatalf("case: %+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+			}
+		}
+	}
+}
+
+// ConditionMap.Remove() is called and the result is validated.
+func TestConditionMapRemove(t *testing.T) {
+	condMap := make(ConditionMap)
+	condKeyMap := make(ConditionKeyMap)
+	condKeyMap.Add("s3:prefix", set.CreateStringSet("hello", "world"))
+	condMap.Add("StringEquals", condKeyMap)
+
+	testCases := []struct {
+		key            string
+		expectedResult string
+	}{
+		// Remove non-existent key.
+		{"StringNotEquals", `{"StringEquals":{"s3:prefix":["hello","world"]}}`},
+		// Remove existing key.
+		{"StringEquals", `{}`},
+	}
+
+	for _, testCase := range testCases {
+		condMap.Remove(testCase.key)
+		if data, err := json.Marshal(condMap); err != nil {
+			t.Fatalf("Unable to marshal ConditionKeyMap to JSON, %s", err)
+		} else {
+			if string(data) != testCase.expectedResult {
+				t.Fatalf("case: %+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+			}
+		}
+	}
+}
+
+// mergeConditionMap() is called and the result is validated.
+func TestMergeConditionMap(t *testing.T) {
+	condKeyMap1 := make(ConditionKeyMap)
+	condKeyMap1.Add("s3:prefix", set.CreateStringSet("hello"))
+	condMap1 := make(ConditionMap)
+	condMap1.Add("StringEquals", condKeyMap1)
+
+	condKeyMap2 := make(ConditionKeyMap)
+	condKeyMap2.Add("s3:prefix", set.CreateStringSet("world"))
+	condMap2 := make(ConditionMap)
+	condMap2.Add("StringEquals", condKeyMap2)
+
+	condMap3 := make(ConditionMap)
+	condMap3.Add("StringNotEquals", condKeyMap2)
+
+	testCases := []struct {
+		condMap1       ConditionMap
+		condMap2       ConditionMap
+		expectedResult string
+	}{
+		// Both arguments are empty.
+		{make(ConditionMap), make(ConditionMap), `{}`},
+		// First argument is empty.
+		{make(ConditionMap), condMap1, `{"StringEquals":{"s3:prefix":["hello"]}}`},
+		// Second argument is empty.
+		{condMap1, make(ConditionMap), `{"StringEquals":{"s3:prefix":["hello"]}}`},
+		// Both arguments are same value.
+		{condMap1, condMap1, `{"StringEquals":{"s3:prefix":["hello"]}}`},
+		// Value of second argument will be merged.
+		{condMap1, condMap2, `{"StringEquals":{"s3:prefix":["hello","world"]}}`},
+		// second argument will be added.
+		{condMap1, condMap3, `{"StringEquals":{"s3:prefix":["hello"]},"StringNotEquals":{"s3:prefix":["world"]}}`},
+	}
+
+	for _, testCase := range testCases {
+		condMap := mergeConditionMap(testCase.condMap1, testCase.condMap2)
+		if data, err := json.Marshal(condMap); err != nil {
+			t.Fatalf("Unable to marshal ConditionKeyMap to JSON, %s", err)
+		} else {
+			if string(data) != testCase.expectedResult {
+				t.Fatalf("case: %+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+			}
+		}
+	}
+}
diff --git a/pkg/policy/bucket-policy.go b/pkg/policy/bucket-policy.go
new file mode 100644
index 0000000..f618059
--- /dev/null
+++ b/pkg/policy/bucket-policy.go
@@ -0,0 +1,635 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package policy
+
+import (
+	"reflect"
+	"strings"
+
+	"github.com/minio/minio-go/pkg/set"
+)
+
+// BucketPolicy - Bucket level policy.
+type BucketPolicy string
+
+// Different types of Policies currently supported for buckets.
+const (
+	BucketPolicyNone      BucketPolicy = "none"
+	BucketPolicyReadOnly               = "readonly"
+	BucketPolicyReadWrite              = "readwrite"
+	BucketPolicyWriteOnly              = "writeonly"
+)
+
+// isValidBucketPolicy - Is provided policy value supported.
+func (p BucketPolicy) IsValidBucketPolicy() bool {
+	switch p {
+	case BucketPolicyNone, BucketPolicyReadOnly, BucketPolicyReadWrite, BucketPolicyWriteOnly:
+		return true
+	}
+	return false
+}
+
+// Resource prefix for all aws resources.
+const awsResourcePrefix = "arn:aws:s3:::"
+
+// Common bucket actions for both read and write policies.
+var commonBucketActions = set.CreateStringSet("s3:GetBucketLocation")
+
+// Read only bucket actions.
+var readOnlyBucketActions = set.CreateStringSet("s3:ListBucket")
+
+// Write only bucket actions.
+var writeOnlyBucketActions = set.CreateStringSet("s3:ListBucketMultipartUploads")
+
+// Read only object actions.
+var readOnlyObjectActions = set.CreateStringSet("s3:GetObject")
+
+// Write only object actions.
+var writeOnlyObjectActions = set.CreateStringSet("s3:AbortMultipartUpload", "s3:DeleteObject", "s3:ListMultipartUploadParts", "s3:PutObject")
+
+// Read and write object actions.
+var readWriteObjectActions = readOnlyObjectActions.Union(writeOnlyObjectActions)
+
+// All valid bucket and object actions.
+var validActions = commonBucketActions.
+	Union(readOnlyBucketActions).
+	Union(writeOnlyBucketActions).
+	Union(readOnlyObjectActions).
+	Union(writeOnlyObjectActions)
+
+var startsWithFunc = func(resource string, resourcePrefix string) bool {
+	return strings.HasPrefix(resource, resourcePrefix)
+}
+
+// User - canonical users list.
+type User struct {
+	AWS           set.StringSet `json:"AWS,omitempty"`
+	CanonicalUser set.StringSet `json:"CanonicalUser,omitempty"`
+}
+
+// Statement - minio policy statement
+type Statement struct {
+	Actions    set.StringSet `json:"Action"`
+	Conditions ConditionMap  `json:"Condition,omitempty"`
+	Effect     string
+	Principal  User          `json:"Principal"`
+	Resources  set.StringSet `json:"Resource"`
+	Sid        string
+}
+
+// BucketAccessPolicy - minio policy collection
+type BucketAccessPolicy struct {
+	Version    string      // date in YYYY-MM-DD format
+	Statements []Statement `json:"Statement"`
+}
+
+// isValidStatement - returns whether given statement is valid to process for given bucket name.
+func isValidStatement(statement Statement, bucketName string) bool {
+	if statement.Actions.Intersection(validActions).IsEmpty() {
+		return false
+	}
+
+	if statement.Effect != "Allow" {
+		return false
+	}
+
+	if statement.Principal.AWS == nil || !statement.Principal.AWS.Contains("*") {
+		return false
+	}
+
+	bucketResource := awsResourcePrefix + bucketName
+	if statement.Resources.Contains(bucketResource) {
+		return true
+	}
+
+	if statement.Resources.FuncMatch(startsWithFunc, bucketResource+"/").IsEmpty() {
+		return false
+	}
+
+	return true
+}
+
+// Returns new statements with bucket actions for given policy.
+func newBucketStatement(policy BucketPolicy, bucketName string, prefix string) (statements []Statement) {
+	statements = []Statement{}
+	if policy == BucketPolicyNone || bucketName == "" {
+		return statements
+	}
+
+	bucketResource := set.CreateStringSet(awsResourcePrefix + bucketName)
+
+	statement := Statement{
+		Actions:   commonBucketActions,
+		Effect:    "Allow",
+		Principal: User{AWS: set.CreateStringSet("*")},
+		Resources: bucketResource,
+		Sid:       "",
+	}
+	statements = append(statements, statement)
+
+	if policy == BucketPolicyReadOnly || policy == BucketPolicyReadWrite {
+		statement = Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: bucketResource,
+			Sid:       "",
+		}
+		if prefix != "" {
+			condKeyMap := make(ConditionKeyMap)
+			condKeyMap.Add("s3:prefix", set.CreateStringSet(prefix))
+			condMap := make(ConditionMap)
+			condMap.Add("StringEquals", condKeyMap)
+			statement.Conditions = condMap
+		}
+		statements = append(statements, statement)
+	}
+
+	if policy == BucketPolicyWriteOnly || policy == BucketPolicyReadWrite {
+		statement = Statement{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: bucketResource,
+			Sid:       "",
+		}
+		statements = append(statements, statement)
+	}
+
+	return statements
+}
+
+// Returns new statements contains object actions for given policy.
+func newObjectStatement(policy BucketPolicy, bucketName string, prefix string) (statements []Statement) {
+	statements = []Statement{}
+	if policy == BucketPolicyNone || bucketName == "" {
+		return statements
+	}
+
+	statement := Statement{
+		Effect:    "Allow",
+		Principal: User{AWS: set.CreateStringSet("*")},
+		Resources: set.CreateStringSet(awsResourcePrefix + bucketName + "/" + prefix + "*"),
+		Sid:       "",
+	}
+
+	if policy == BucketPolicyReadOnly {
+		statement.Actions = readOnlyObjectActions
+	} else if policy == BucketPolicyWriteOnly {
+		statement.Actions = writeOnlyObjectActions
+	} else if policy == BucketPolicyReadWrite {
+		statement.Actions = readWriteObjectActions
+	}
+
+	statements = append(statements, statement)
+	return statements
+}
+
+// Returns new statements for given policy, bucket and prefix.
+func newStatements(policy BucketPolicy, bucketName string, prefix string) (statements []Statement) {
+	statements = []Statement{}
+	ns := newBucketStatement(policy, bucketName, prefix)
+	statements = append(statements, ns...)
+
+	ns = newObjectStatement(policy, bucketName, prefix)
+	statements = append(statements, ns...)
+
+	return statements
+}
+
+// Returns whether given bucket statements are used by other than given prefix statements.
+func getInUsePolicy(statements []Statement, bucketName string, prefix string) (readOnlyInUse, writeOnlyInUse bool) {
+	resourcePrefix := awsResourcePrefix + bucketName + "/"
+	objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*"
+
+	for _, s := range statements {
+		if !s.Resources.Contains(objectResource) && !s.Resources.FuncMatch(startsWithFunc, resourcePrefix).IsEmpty() {
+			if s.Actions.Intersection(readOnlyObjectActions).Equals(readOnlyObjectActions) {
+				readOnlyInUse = true
+			}
+
+			if s.Actions.Intersection(writeOnlyObjectActions).Equals(writeOnlyObjectActions) {
+				writeOnlyInUse = true
+			}
+		}
+		if readOnlyInUse && writeOnlyInUse {
+			break
+		}
+	}
+
+	return readOnlyInUse, writeOnlyInUse
+}
+
+// Removes object actions in given statement.
+func removeObjectActions(statement Statement, objectResource string) Statement {
+	if statement.Conditions == nil {
+		if len(statement.Resources) > 1 {
+			statement.Resources.Remove(objectResource)
+		} else {
+			statement.Actions = statement.Actions.Difference(readOnlyObjectActions)
+			statement.Actions = statement.Actions.Difference(writeOnlyObjectActions)
+		}
+	}
+
+	return statement
+}
+
+// Removes bucket actions for given policy in given statement.
+func removeBucketActions(statement Statement, prefix string, bucketResource string, readOnlyInUse, writeOnlyInUse bool) Statement {
+	removeReadOnly := func() {
+		if !statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) {
+			return
+		}
+
+		if statement.Conditions == nil {
+			statement.Actions = statement.Actions.Difference(readOnlyBucketActions)
+			return
+		}
+
+		if prefix != "" {
+			stringEqualsValue := statement.Conditions["StringEquals"]
+			values := set.NewStringSet()
+			if stringEqualsValue != nil {
+				values = stringEqualsValue["s3:prefix"]
+				if values == nil {
+					values = set.NewStringSet()
+				}
+			}
+
+			values.Remove(prefix)
+
+			if stringEqualsValue != nil {
+				if values.IsEmpty() {
+					delete(stringEqualsValue, "s3:prefix")
+				}
+				if len(stringEqualsValue) == 0 {
+					delete(statement.Conditions, "StringEquals")
+				}
+			}
+
+			if len(statement.Conditions) == 0 {
+				statement.Conditions = nil
+				statement.Actions = statement.Actions.Difference(readOnlyBucketActions)
+			}
+		}
+	}
+
+	removeWriteOnly := func() {
+		if statement.Conditions == nil {
+			statement.Actions = statement.Actions.Difference(writeOnlyBucketActions)
+		}
+	}
+
+	if len(statement.Resources) > 1 {
+		statement.Resources.Remove(bucketResource)
+	} else {
+		if !readOnlyInUse {
+			removeReadOnly()
+		}
+
+		if !writeOnlyInUse {
+			removeWriteOnly()
+		}
+	}
+
+	return statement
+}
+
+// Returns statements containing removed actions/statements for given
+// policy, bucket name and prefix.
+func removeStatements(statements []Statement, bucketName string, prefix string) []Statement {
+	bucketResource := awsResourcePrefix + bucketName
+	objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*"
+	readOnlyInUse, writeOnlyInUse := getInUsePolicy(statements, bucketName, prefix)
+
+	out := []Statement{}
+	readOnlyBucketStatements := []Statement{}
+	s3PrefixValues := set.NewStringSet()
+
+	for _, statement := range statements {
+		if !isValidStatement(statement, bucketName) {
+			out = append(out, statement)
+			continue
+		}
+
+		if statement.Resources.Contains(bucketResource) {
+			if statement.Conditions != nil {
+				statement = removeBucketActions(statement, prefix, bucketResource, false, false)
+			} else {
+				statement = removeBucketActions(statement, prefix, bucketResource, readOnlyInUse, writeOnlyInUse)
+			}
+		} else if statement.Resources.Contains(objectResource) {
+			statement = removeObjectActions(statement, objectResource)
+		}
+
+		if !statement.Actions.IsEmpty() {
+			if statement.Resources.Contains(bucketResource) &&
+				statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) &&
+				statement.Effect == "Allow" &&
+				statement.Principal.AWS.Contains("*") {
+
+				if statement.Conditions != nil {
+					stringEqualsValue := statement.Conditions["StringEquals"]
+					values := set.NewStringSet()
+					if stringEqualsValue != nil {
+						values = stringEqualsValue["s3:prefix"]
+						if values == nil {
+							values = set.NewStringSet()
+						}
+					}
+					s3PrefixValues = s3PrefixValues.Union(values.ApplyFunc(func(v string) string {
+						return bucketResource + "/" + v + "*"
+					}))
+				} else if !s3PrefixValues.IsEmpty() {
+					readOnlyBucketStatements = append(readOnlyBucketStatements, statement)
+					continue
+				}
+			}
+			out = append(out, statement)
+		}
+	}
+
+	skipBucketStatement := true
+	resourcePrefix := awsResourcePrefix + bucketName + "/"
+	for _, statement := range out {
+		if !statement.Resources.FuncMatch(startsWithFunc, resourcePrefix).IsEmpty() &&
+			s3PrefixValues.Intersection(statement.Resources).IsEmpty() {
+			skipBucketStatement = false
+			break
+		}
+	}
+
+	for _, statement := range readOnlyBucketStatements {
+		if skipBucketStatement &&
+			statement.Resources.Contains(bucketResource) &&
+			statement.Effect == "Allow" &&
+			statement.Principal.AWS.Contains("*") &&
+			statement.Conditions == nil {
+			continue
+		}
+
+		out = append(out, statement)
+	}
+
+	if len(out) == 1 {
+		statement := out[0]
+		if statement.Resources.Contains(bucketResource) &&
+			statement.Actions.Intersection(commonBucketActions).Equals(commonBucketActions) &&
+			statement.Effect == "Allow" &&
+			statement.Principal.AWS.Contains("*") &&
+			statement.Conditions == nil {
+			out = []Statement{}
+		}
+	}
+
+	return out
+}
+
+//  Appends given statement into statement list to have unique statements.
+//  - If statement already exists in statement list, it ignores.
+//  - If statement exists with different conditions, they are merged.
+//  - Else the statement is appended to statement list.
+func appendStatement(statements []Statement, statement Statement) []Statement {
+	for i, s := range statements {
+		if s.Actions.Equals(statement.Actions) &&
+			s.Effect == statement.Effect &&
+			s.Principal.AWS.Equals(statement.Principal.AWS) &&
+			reflect.DeepEqual(s.Conditions, statement.Conditions) {
+			statements[i].Resources = s.Resources.Union(statement.Resources)
+			return statements
+		} else if s.Resources.Equals(statement.Resources) &&
+			s.Effect == statement.Effect &&
+			s.Principal.AWS.Equals(statement.Principal.AWS) &&
+			reflect.DeepEqual(s.Conditions, statement.Conditions) {
+			statements[i].Actions = s.Actions.Union(statement.Actions)
+			return statements
+		}
+
+		if s.Resources.Intersection(statement.Resources).Equals(statement.Resources) &&
+			s.Actions.Intersection(statement.Actions).Equals(statement.Actions) &&
+			s.Effect == statement.Effect &&
+			s.Principal.AWS.Intersection(statement.Principal.AWS).Equals(statement.Principal.AWS) {
+			if reflect.DeepEqual(s.Conditions, statement.Conditions) {
+				return statements
+			}
+			if s.Conditions != nil && statement.Conditions != nil {
+				if s.Resources.Equals(statement.Resources) {
+					statements[i].Conditions = mergeConditionMap(s.Conditions, statement.Conditions)
+					return statements
+				}
+			}
+		}
+	}
+
+	if !(statement.Actions.IsEmpty() && statement.Resources.IsEmpty()) {
+		return append(statements, statement)
+	}
+
+	return statements
+}
+
+// Appends two statement lists.
+func appendStatements(statements []Statement, appendStatements []Statement) []Statement {
+	for _, s := range appendStatements {
+		statements = appendStatement(statements, s)
+	}
+
+	return statements
+}
+
+// Returns policy of given bucket statement.
+func getBucketPolicy(statement Statement, prefix string) (commonFound, readOnly, writeOnly bool) {
+	if !(statement.Effect == "Allow" && statement.Principal.AWS.Contains("*")) {
+		return commonFound, readOnly, writeOnly
+	}
+
+	if statement.Actions.Intersection(commonBucketActions).Equals(commonBucketActions) &&
+		statement.Conditions == nil {
+		commonFound = true
+	}
+
+	if statement.Actions.Intersection(writeOnlyBucketActions).Equals(writeOnlyBucketActions) &&
+		statement.Conditions == nil {
+		writeOnly = true
+	}
+
+	if statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) {
+		if prefix != "" && statement.Conditions != nil {
+			if stringEqualsValue, ok := statement.Conditions["StringEquals"]; ok {
+				if s3PrefixValues, ok := stringEqualsValue["s3:prefix"]; ok {
+					if s3PrefixValues.Contains(prefix) {
+						readOnly = true
+					}
+				}
+			} else if stringNotEqualsValue, ok := statement.Conditions["StringNotEquals"]; ok {
+				if s3PrefixValues, ok := stringNotEqualsValue["s3:prefix"]; ok {
+					if !s3PrefixValues.Contains(prefix) {
+						readOnly = true
+					}
+				}
+			}
+		} else if prefix == "" && statement.Conditions == nil {
+			readOnly = true
+		} else if prefix != "" && statement.Conditions == nil {
+			readOnly = true
+		}
+	}
+
+	return commonFound, readOnly, writeOnly
+}
+
+// Returns policy of given object statement.
+func getObjectPolicy(statement Statement) (readOnly bool, writeOnly bool) {
+	if statement.Effect == "Allow" &&
+		statement.Principal.AWS.Contains("*") &&
+		statement.Conditions == nil {
+		if statement.Actions.Intersection(readOnlyObjectActions).Equals(readOnlyObjectActions) {
+			readOnly = true
+		}
+		if statement.Actions.Intersection(writeOnlyObjectActions).Equals(writeOnlyObjectActions) {
+			writeOnly = true
+		}
+	}
+
+	return readOnly, writeOnly
+}
+
+// Returns policy of given bucket name, prefix in given statements.
+func GetPolicy(statements []Statement, bucketName string, prefix string) BucketPolicy {
+	bucketResource := awsResourcePrefix + bucketName
+	objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*"
+
+	bucketCommonFound := false
+	bucketReadOnly := false
+	bucketWriteOnly := false
+	matchedResource := ""
+	objReadOnly := false
+	objWriteOnly := false
+
+	for _, s := range statements {
+		matchedObjResources := set.NewStringSet()
+		if s.Resources.Contains(objectResource) {
+			matchedObjResources.Add(objectResource)
+		} else {
+			matchedObjResources = s.Resources.FuncMatch(resourceMatch, objectResource)
+		}
+
+		if !matchedObjResources.IsEmpty() {
+			readOnly, writeOnly := getObjectPolicy(s)
+			for resource := range matchedObjResources {
+				if len(matchedResource) < len(resource) {
+					objReadOnly = readOnly
+					objWriteOnly = writeOnly
+					matchedResource = resource
+				} else if len(matchedResource) == len(resource) {
+					objReadOnly = objReadOnly || readOnly
+					objWriteOnly = objWriteOnly || writeOnly
+					matchedResource = resource
+				}
+			}
+		} else if s.Resources.Contains(bucketResource) {
+			commonFound, readOnly, writeOnly := getBucketPolicy(s, prefix)
+			bucketCommonFound = bucketCommonFound || commonFound
+			bucketReadOnly = bucketReadOnly || readOnly
+			bucketWriteOnly = bucketWriteOnly || writeOnly
+		}
+	}
+
+	policy := BucketPolicyNone
+	if bucketCommonFound {
+		if bucketReadOnly && bucketWriteOnly && objReadOnly && objWriteOnly {
+			policy = BucketPolicyReadWrite
+		} else if bucketReadOnly && objReadOnly {
+			policy = BucketPolicyReadOnly
+		} else if bucketWriteOnly && objWriteOnly {
+			policy = BucketPolicyWriteOnly
+		}
+	}
+
+	return policy
+}
+
+// GetPolicies returns a map of policies rules of given bucket name, prefix in given statements.
+func GetPolicies(statements []Statement, bucketName string) map[string]BucketPolicy {
+	policyRules := map[string]BucketPolicy{}
+	objResources := set.NewStringSet()
+	// Search all resources related to objects policy
+	for _, s := range statements {
+		for r := range s.Resources {
+			if strings.HasPrefix(r, awsResourcePrefix+bucketName+"/") {
+				objResources.Add(r)
+			}
+		}
+	}
+	// Pretend that policy resource as an actual object and fetch its policy
+	for r := range objResources {
+		// Put trailing * if exists in asterisk
+		asterisk := ""
+		if strings.HasSuffix(r, "*") {
+			r = r[:len(r)-1]
+			asterisk = "*"
+		}
+		objectPath := r[len(awsResourcePrefix+bucketName)+1 : len(r)]
+		p := GetPolicy(statements, bucketName, objectPath)
+		policyRules[bucketName+"/"+objectPath+asterisk] = p
+	}
+	return policyRules
+}
+
+// Returns new statements containing policy of given bucket name and
+// prefix are appended.
+func SetPolicy(statements []Statement, policy BucketPolicy, bucketName string, prefix string) []Statement {
+	out := removeStatements(statements, bucketName, prefix)
+	// fmt.Println("out = ")
+	// printstatement(out)
+	ns := newStatements(policy, bucketName, prefix)
+	// fmt.Println("ns = ")
+	// printstatement(ns)
+
+	rv := appendStatements(out, ns)
+	// fmt.Println("rv = ")
+	// printstatement(rv)
+
+	return rv
+}
+
+// Match function matches wild cards in 'pattern' for resource.
+func resourceMatch(pattern, resource string) bool {
+	if pattern == "" {
+		return resource == pattern
+	}
+	if pattern == "*" {
+		return true
+	}
+	parts := strings.Split(pattern, "*")
+	if len(parts) == 1 {
+		return resource == pattern
+	}
+	tGlob := strings.HasSuffix(pattern, "*")
+	end := len(parts) - 1
+	if !strings.HasPrefix(resource, parts[0]) {
+		return false
+	}
+	for i := 1; i < end; i++ {
+		if !strings.Contains(resource, parts[i]) {
+			return false
+		}
+		idx := strings.Index(resource, parts[i]) + len(parts[i])
+		resource = resource[idx:]
+	}
+	return tGlob || strings.HasSuffix(resource, parts[end])
+}
diff --git a/pkg/policy/bucket-policy_test.go b/pkg/policy/bucket-policy_test.go
new file mode 100644
index 0000000..b1862c6
--- /dev/null
+++ b/pkg/policy/bucket-policy_test.go
@@ -0,0 +1,1822 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2015 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package policy
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/minio/minio-go/pkg/set"
+)
+
+// isValidStatement() is called and the result is validated.
+func TestIsValidStatement(t *testing.T) {
+	testCases := []struct {
+		statement      Statement
+		bucketName     string
+		expectedResult bool
+	}{
+		// Empty statement and bucket name.
+		{Statement{}, "", false},
+		// Empty statement.
+		{Statement{}, "mybucket", false},
+		// Empty bucket name.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false},
+		// Statement with unknown actions.
+		{Statement{
+			Actions:   set.CreateStringSet("s3:ListBucketVersions"),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "mybucket", false},
+		// Statement with unknown effect.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Deny",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "mybucket", false},
+		// Statement with nil Principal.AWS.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "mybucket", false},
+		// Statement with unknown Principal.AWS.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "mybucket", false},
+		// Statement with different bucket name.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}, "mybucket", false},
+		// Statement with bucket name with suffixed string.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybuckettest/myobject"),
+		}, "mybucket", false},
+		// Statement with bucket name and object name.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/myobject"),
+		}, "mybucket", true},
+		// Statement with condition, bucket name and object name.
+		{Statement{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket/myobject"),
+		}, "mybucket", true},
+	}
+
+	for _, testCase := range testCases {
+		if result := isValidStatement(testCase.statement, testCase.bucketName); result != testCase.expectedResult {
+			t.Fatalf("%+v: expected: %t, got: %t", testCase, testCase.expectedResult, result)
+		}
+	}
+}
+
+// newStatements() is called and the result is validated.
+func TestNewStatements(t *testing.T) {
+	testCases := []struct {
+		policy         BucketPolicy
+		bucketName     string
+		prefix         string
+		expectedResult string
+	}{
+		// BucketPolicyNone: with empty bucket name and prefix.
+		{BucketPolicyNone, "", "", `[]`},
+		// BucketPolicyNone: with bucket name and empty prefix.
+		{BucketPolicyNone, "mybucket", "", `[]`},
+		// BucketPolicyNone: with empty bucket name empty prefix.
+		{BucketPolicyNone, "", "hello", `[]`},
+		// BucketPolicyNone: with bucket name prefix.
+		{BucketPolicyNone, "mybucket", "hello", `[]`},
+		// BucketPolicyReadOnly: with empty bucket name and prefix.
+		{BucketPolicyReadOnly, "", "", `[]`},
+		// BucketPolicyReadOnly: with bucket name and empty prefix.
+		{BucketPolicyReadOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+		// BucketPolicyReadOnly: with empty bucket name empty prefix.
+		{BucketPolicyReadOnly, "", "hello", `[]`},
+		// BucketPolicyReadOnly: with bucket name prefix.
+		{BucketPolicyReadOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// BucketPolicyReadWrite: with empty bucket name and prefix.
+		{BucketPolicyReadWrite, "", "", `[]`},
+		// BucketPolicyReadWrite: with bucket name and empty prefix.
+		{BucketPolicyReadWrite, "mybucket", "", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+		// BucketPolicyReadWrite: with empty bucket name empty prefix.
+		{BucketPolicyReadWrite, "", "hello", `[]`},
+		// BucketPolicyReadWrite: with bucket name prefix.
+		{BucketPolicyReadWrite, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// BucketPolicyWriteOnly: with empty bucket name and prefix.
+		{BucketPolicyWriteOnly, "", "", `[]`},
+		// BucketPolicyWriteOnly: with bucket name and empty prefix.
+		{BucketPolicyWriteOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+		// BucketPolicyWriteOnly: with empty bucket name empty prefix.
+		{BucketPolicyWriteOnly, "", "hello", `[]`},
+		// BucketPolicyWriteOnly: with bucket name prefix.
+		{BucketPolicyWriteOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+	}
+
+	for _, testCase := range testCases {
+		statements := newStatements(testCase.policy, testCase.bucketName, testCase.prefix)
+		if data, err := json.Marshal(statements); err == nil {
+			if string(data) != testCase.expectedResult {
+				t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+			}
+		}
+	}
+}
+
+// getInUsePolicy() is called and the result is validated.
+func TestGetInUsePolicy(t *testing.T) {
+	testCases := []struct {
+		statements      []Statement
+		bucketName      string
+		prefix          string
+		expectedResult1 bool
+		expectedResult2 bool
+	}{
+		// All empty statements, bucket name and prefix.
+		{[]Statement{}, "", "", false, false},
+		// Non-empty statements, empty bucket name and empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "", "", false, false},
+		// Non-empty statements, non-empty bucket name and empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", false, false},
+		// Non-empty statements, empty bucket name and non-empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "", "hello", false, false},
+		// Empty statements, non-empty bucket name and empty prefix.
+		{[]Statement{}, "mybucket", "", false, false},
+		// Empty statements, non-empty bucket name non-empty prefix.
+		{[]Statement{}, "mybucket", "hello", false, false},
+		// Empty statements, empty bucket name and non-empty prefix.
+		{[]Statement{}, "", "hello", false, false},
+		// Non-empty statements, non-empty bucket name, non-empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", false, false},
+		// different bucket statements and empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}}, "mybucket", "", false, false},
+		// different bucket statements.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}}, "mybucket", "hello", false, false},
+		// different bucket multi-statements and empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}, {
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::testbucket/world"),
+		}}, "mybucket", "", false, false},
+		// different bucket multi-statements.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}, {
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::testbucket/world"),
+		}}, "mybucket", "hello", false, false},
+		// read-only in use.
+		{[]Statement{{
+			Actions:    readOnlyObjectActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", true, false},
+		// write-only in use.
+		{[]Statement{{
+			Actions:    writeOnlyObjectActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", false, true},
+		// read-write in use.
+		{[]Statement{{
+			Actions:    readWriteObjectActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", true, true},
+		// read-write multi-statements.
+		{[]Statement{{
+			Actions:    readOnlyObjectActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}, {
+			Actions:    writeOnlyObjectActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket/ground"),
+		}}, "mybucket", "hello", true, true},
+	}
+
+	for _, testCase := range testCases {
+		result1, result2 := getInUsePolicy(testCase.statements, testCase.bucketName, testCase.prefix)
+		if !(result1 == testCase.expectedResult1 && result2 == testCase.expectedResult2) {
+			t.Fatalf("%+v: expected: [%t,%t], got: [%t,%t]", testCase,
+				testCase.expectedResult1, testCase.expectedResult2,
+				result1, result2)
+		}
+	}
+}
+
+// removeStatements() is called and the result is validated.
+func TestRemoveStatements(t *testing.T) {
+	unknownCondMap1 := make(ConditionMap)
+	unknownCondKeyMap1 := make(ConditionKeyMap)
+	unknownCondKeyMap1.Add("s3:prefix", set.CreateStringSet("hello"))
+	unknownCondMap1.Add("StringNotEquals", unknownCondKeyMap1)
+
+	unknownCondMap11 := make(ConditionMap)
+	unknownCondKeyMap11 := make(ConditionKeyMap)
+	unknownCondKeyMap11.Add("s3:prefix", set.CreateStringSet("hello"))
+	unknownCondMap11.Add("StringNotEquals", unknownCondKeyMap11)
+
+	unknownCondMap12 := make(ConditionMap)
+	unknownCondKeyMap12 := make(ConditionKeyMap)
+	unknownCondKeyMap12.Add("s3:prefix", set.CreateStringSet("hello"))
+	unknownCondMap12.Add("StringNotEquals", unknownCondKeyMap12)
+
+	knownCondMap1 := make(ConditionMap)
+	knownCondKeyMap1 := make(ConditionKeyMap)
+	knownCondKeyMap1.Add("s3:prefix", set.CreateStringSet("hello"))
+	knownCondMap1.Add("StringEquals", knownCondKeyMap1)
+
+	knownCondMap11 := make(ConditionMap)
+	knownCondKeyMap11 := make(ConditionKeyMap)
+	knownCondKeyMap11.Add("s3:prefix", set.CreateStringSet("hello"))
+	knownCondMap11.Add("StringEquals", knownCondKeyMap11)
+
+	knownCondMap12 := make(ConditionMap)
+	knownCondKeyMap12 := make(ConditionKeyMap)
+	knownCondKeyMap12.Add("s3:prefix", set.CreateStringSet("hello"))
+	knownCondMap12.Add("StringEquals", knownCondKeyMap12)
+
+	knownCondMap13 := make(ConditionMap)
+	knownCondKeyMap13 := make(ConditionKeyMap)
+	knownCondKeyMap13.Add("s3:prefix", set.CreateStringSet("hello"))
+	knownCondMap13.Add("StringEquals", knownCondKeyMap13)
+
+	knownCondMap14 := make(ConditionMap)
+	knownCondKeyMap14 := make(ConditionKeyMap)
+	knownCondKeyMap14.Add("s3:prefix", set.CreateStringSet("hello"))
+	knownCondMap14.Add("StringEquals", knownCondKeyMap14)
+
+	knownCondMap2 := make(ConditionMap)
+	knownCondKeyMap2 := make(ConditionKeyMap)
+	knownCondKeyMap2.Add("s3:prefix", set.CreateStringSet("hello", "world"))
+	knownCondMap2.Add("StringEquals", knownCondKeyMap2)
+
+	testCases := []struct {
+		statements     []Statement
+		bucketName     string
+		prefix         string
+		expectedResult string
+	}{
+		// All empty statements, bucket name and prefix.
+		{[]Statement{}, "", "", `[]`},
+		// Non-empty statements, empty bucket name and empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Non-empty statements, non-empty bucket name and empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Non-empty statements, empty bucket name and non-empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Empty statements, non-empty bucket name and empty prefix.
+		{[]Statement{}, "mybucket", "", `[]`},
+		// Empty statements, non-empty bucket name non-empty prefix.
+		{[]Statement{}, "mybucket", "hello", `[]`},
+		// Empty statements, empty bucket name and non-empty prefix.
+		{[]Statement{}, "", "hello", `[]`},
+		// Statement with unknown Actions with empty prefix.
+		{[]Statement{{
+			Actions:   set.CreateStringSet("s3:ListBucketVersions", "s3:ListAllMyBuckets"),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", `[{"Action":["s3:ListAllMyBuckets","s3:ListBucketVersions"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Actions.
+		{[]Statement{{
+			Actions:   set.CreateStringSet("s3:ListBucketVersions", "s3:ListAllMyBuckets"),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListAllMyBuckets","s3:ListBucketVersions"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Effect with empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Deny",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Deny","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Effect.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Deny",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Deny","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Principal.User.AWS with empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::AccountNumberWithoutHyphens:root"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Principal.User.AWS.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["arn:aws:iam::AccountNumberWithoutHyphens:root"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Principal.User.CanonicalUser with empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{CanonicalUser: set.CreateStringSet("649262f44b8145cb")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"CanonicalUser":["649262f44b8145cb"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Principal.User.CanonicalUser.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{CanonicalUser: set.CreateStringSet("649262f44b8145cb")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"CanonicalUser":["649262f44b8145cb"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Conditions with empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Conditions.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statement with unknown Resource and empty prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+		// Statement with unknown Resource.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+		// Statement with known Actions with empty prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", `[]`},
+		// Statement with known Actions.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", `[]`},
+		// Statement with known multiple Actions with empty prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions.Union(writeOnlyBucketActions).Union(commonBucketActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", `[]`},
+		// Statement with known multiple Actions.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions.Union(writeOnlyBucketActions).Union(commonBucketActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", `[]`},
+		// RemoveBucketActions with readOnlyInUse.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, readOnlyInUse.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with writeOnlyInUse.
+		{[]Statement{{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, writeOnlyInUse.
+		{[]Statement{{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with readOnlyInUse and writeOnlyInUse.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readWriteObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, readOnlyInUse and writeOnlyInUse.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readWriteObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with known Conditions, readOnlyInUse.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, known Conditions, readOnlyInUse.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, known Conditions contains other object prefix, readOnlyInUse.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap2,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["world"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with unknown Conditions, readOnlyInUse.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, unknown Conditions, readOnlyInUse.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with known Conditions, writeOnlyInUse.
+		{[]Statement{{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap11,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, known Conditions, writeOnlyInUse.
+		{[]Statement{{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap11,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with unknown Conditions, writeOnlyInUse.
+		{[]Statement{{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap11,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, unknown Conditions, writeOnlyInUse.
+		{[]Statement{{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap11,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with known Conditions, readOnlyInUse and writeOnlyInUse.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap12,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions.Union(writeOnlyObjectActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, known Conditions, readOnlyInUse and writeOnlyInUse.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap12,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions.Union(writeOnlyObjectActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with unknown Conditions, readOnlyInUse and writeOnlyInUse.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap12,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions.Union(writeOnlyObjectActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// RemoveBucketActions with prefix, unknown Conditions, readOnlyInUse and writeOnlyInUse.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap12,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions.Union(writeOnlyObjectActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/world"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/world"],"Sid":""}]`},
+		// readOnlyObjectActions - RemoveObjectActions with known condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// readOnlyObjectActions - RemoveObjectActions with prefix, known condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "hello", `[]`},
+		// readOnlyObjectActions - RemoveObjectActions with unknown condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// readOnlyObjectActions - RemoveObjectActions with prefix, unknown condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// writeOnlyObjectActions - RemoveObjectActions with known condition.
+		{[]Statement{{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap13,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// writeOnlyObjectActions - RemoveObjectActions with prefix, known condition.
+		{[]Statement{{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap13,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// writeOnlyObjectActions - RemoveObjectActions with unknown condition.
+		{[]Statement{{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// writeOnlyObjectActions - RemoveObjectActions with prefix, unknown condition.
+		{[]Statement{{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// readWriteObjectActions - RemoveObjectActions with known condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap14,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions.Union(writeOnlyObjectActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// readWriteObjectActions - RemoveObjectActions with prefix, known condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: knownCondMap13,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions.Union(writeOnlyObjectActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "hello", `[]`},
+		// readWriteObjectActions - RemoveObjectActions with unknown condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions.Union(writeOnlyObjectActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// readWriteObjectActions - RemoveObjectActions with prefix, unknown condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, {
+			Actions:   readOnlyObjectActions.Union(writeOnlyObjectActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}}, "mybucket", "hello", `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringNotEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+	}
+
+	for _, testCase := range testCases {
+		statements := removeStatements(testCase.statements, testCase.bucketName, testCase.prefix)
+		if data, err := json.Marshal(statements); err != nil {
+			t.Fatalf("unable encoding to json, %s", err)
+		} else if string(data) != testCase.expectedResult {
+			t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+		}
+	}
+}
+
+// appendStatement() is called and the result is validated.
+func TestAppendStatement(t *testing.T) {
+	condMap := make(ConditionMap)
+	condKeyMap := make(ConditionKeyMap)
+	condKeyMap.Add("s3:prefix", set.CreateStringSet("hello"))
+	condMap.Add("StringEquals", condKeyMap)
+
+	condMap1 := make(ConditionMap)
+	condKeyMap1 := make(ConditionKeyMap)
+	condKeyMap1.Add("s3:prefix", set.CreateStringSet("world"))
+	condMap1.Add("StringEquals", condKeyMap1)
+
+	unknownCondMap1 := make(ConditionMap)
+	unknownCondKeyMap1 := make(ConditionKeyMap)
+	unknownCondKeyMap1.Add("s3:prefix", set.CreateStringSet("world"))
+	unknownCondMap1.Add("StringNotEquals", unknownCondKeyMap1)
+
+	testCases := []struct {
+		statements     []Statement
+		statement      Statement
+		expectedResult string
+	}{
+		// Empty statements and empty new statement.
+		{[]Statement{}, Statement{}, `[]`},
+		// Non-empty statements and empty new statement.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, Statement{}, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Empty statements and non-empty new statement.
+		{[]Statement{}, Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Append existing statement.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Append same statement with different resource.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""}]`},
+		// Append same statement with different actions.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, Statement{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Elements of new statement contains elements in statements.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+		}}, Statement{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""}]`},
+		// Elements of new statement with conditions contains elements in statements.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: condMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+		}}, Statement{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: condMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""}]`},
+		// Statements with condition and new statement with condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: condMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+		}}, Statement{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: condMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["world"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statements with condition and same resources, and new statement with condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: condMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, Statement{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: condMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello","world"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statements with unknown condition and same resources, and new statement with known condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: unknownCondMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, Statement{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: condMap1,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["world"]},"StringNotEquals":{"s3:prefix":["world"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statements without condition and new statement with condition.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+		}}, Statement{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: condMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statements with condition and new statement without condition.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: condMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket", "arn:aws:s3:::testbucket"),
+		}}, Statement{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, `[{"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::testbucket"],"Sid":""},{"Action":["s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// Statements and new statement are different.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, Statement{
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}, `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+	}
+
+	for _, testCase := range testCases {
+		statements := appendStatement(testCase.statements, testCase.statement)
+		if data, err := json.Marshal(statements); err != nil {
+			t.Fatalf("unable encoding to json, %s", err)
+		} else if string(data) != testCase.expectedResult {
+			t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+		}
+	}
+}
+
+// getBucketPolicy() is called and the result is validated.
+func TestGetBucketPolicy(t *testing.T) {
+	helloCondMap := make(ConditionMap)
+	helloCondKeyMap := make(ConditionKeyMap)
+	helloCondKeyMap.Add("s3:prefix", set.CreateStringSet("hello"))
+	helloCondMap.Add("StringEquals", helloCondKeyMap)
+
+	worldCondMap := make(ConditionMap)
+	worldCondKeyMap := make(ConditionKeyMap)
+	worldCondKeyMap.Add("s3:prefix", set.CreateStringSet("world"))
+	worldCondMap.Add("StringEquals", worldCondKeyMap)
+
+	notHelloCondMap := make(ConditionMap)
+	notHelloCondMap.Add("StringNotEquals", worldCondKeyMap)
+
+	testCases := []struct {
+		statement       Statement
+		prefix          string
+		expectedResult1 bool
+		expectedResult2 bool
+		expectedResult3 bool
+	}{
+		// Statement with invalid Effect.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Deny",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, false, false},
+		// Statement with invalid Effect with prefix.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Deny",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, false, false},
+		// Statement with invalid Principal.AWS.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, false, false},
+		// Statement with invalid Principal.AWS with prefix.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, false, false},
+
+		// Statement with commonBucketActions.
+		{Statement{
+			Actions:   commonBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", true, false, false},
+		// Statement with commonBucketActions.
+		{Statement{
+			Actions:   commonBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", true, false, false},
+
+		// Statement with commonBucketActions and condition.
+		{Statement{
+			Actions:    commonBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, false, false},
+		// Statement with commonBucketActions and condition.
+		{Statement{
+			Actions:    commonBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, false, false},
+		// Statement with writeOnlyBucketActions.
+		{Statement{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, false, true},
+		// Statement with writeOnlyBucketActions.
+		{Statement{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, false, true},
+		// Statement with writeOnlyBucketActions and condition
+		{Statement{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, false, false},
+		// Statement with writeOnlyBucketActions and condition.
+		{Statement{
+			Actions:    writeOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, false, false},
+		// Statement with readOnlyBucketActions.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, true, false},
+		// Statement with readOnlyBucketActions.
+		{Statement{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, true, false},
+		// Statement with readOnlyBucketActions with empty condition.
+		{Statement{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, false, false},
+		// Statement with readOnlyBucketActions with empty condition.
+		{Statement{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, false, false},
+		// Statement with readOnlyBucketActions with matching condition.
+		{Statement{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: helloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, false, false},
+		// Statement with readOnlyBucketActions with matching condition.
+		{Statement{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: helloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, true, false},
+
+		// Statement with readOnlyBucketActions with different condition.
+		{Statement{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: worldCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, false, false},
+		// Statement with readOnlyBucketActions with different condition.
+		{Statement{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: worldCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, false, false},
+
+		// Statement with readOnlyBucketActions with StringNotEquals condition.
+		{Statement{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: notHelloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "", false, false, false},
+		// Statement with readOnlyBucketActions with StringNotEquals condition.
+		{Statement{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: notHelloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}, "hello", false, true, false},
+	}
+
+	for _, testCase := range testCases {
+		commonFound, readOnly, writeOnly := getBucketPolicy(testCase.statement, testCase.prefix)
+		if !(testCase.expectedResult1 == commonFound && testCase.expectedResult2 == readOnly && testCase.expectedResult3 == writeOnly) {
+			t.Fatalf("%+v: expected: [%t,%t,%t], got: [%t,%t,%t]", testCase,
+				testCase.expectedResult1, testCase.expectedResult2, testCase.expectedResult3,
+				commonFound, readOnly, writeOnly)
+		}
+	}
+}
+
+// getObjectPolicy() is called and the result is validated.
+func TestGetObjectPolicy(t *testing.T) {
+	testCases := []struct {
+		statement       Statement
+		expectedResult1 bool
+		expectedResult2 bool
+	}{
+		// Statement with invalid Effect.
+		{Statement{
+			Actions:   readOnlyObjectActions,
+			Effect:    "Deny",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}, false, false},
+		// Statement with invalid Principal.AWS.
+		{Statement{
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("arn:aws:iam::AccountNumberWithoutHyphens:root")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}, false, false},
+		// Statement with condition.
+		{Statement{
+			Actions:    readOnlyObjectActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: make(ConditionMap),
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}, false, false},
+		// Statement with readOnlyObjectActions.
+		{Statement{
+			Actions:   readOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}, true, false},
+		// Statement with writeOnlyObjectActions.
+		{Statement{
+			Actions:   writeOnlyObjectActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}, false, true},
+		// Statement with readOnlyObjectActions and writeOnlyObjectActions.
+		{Statement{
+			Actions:   readOnlyObjectActions.Union(writeOnlyObjectActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket/hello*"),
+		}, true, true},
+	}
+
+	for _, testCase := range testCases {
+		readOnly, writeOnly := getObjectPolicy(testCase.statement)
+		if !(testCase.expectedResult1 == readOnly && testCase.expectedResult2 == writeOnly) {
+			t.Fatalf("%+v: expected: [%t,%t], got: [%t,%t]", testCase,
+				testCase.expectedResult1, testCase.expectedResult2,
+				readOnly, writeOnly)
+		}
+	}
+}
+
+// GetPolicyRules is called and the result is validated
+func TestListBucketPolicies(t *testing.T) {
+
+	// Condition for read objects
+	downloadCondMap := make(ConditionMap)
+	downloadCondKeyMap := make(ConditionKeyMap)
+	downloadCondKeyMap.Add("s3:prefix", set.CreateStringSet("download"))
+	downloadCondMap.Add("StringEquals", downloadCondKeyMap)
+
+	// Condition for readwrite objects
+	downloadUploadCondMap := make(ConditionMap)
+	downloadUploadCondKeyMap := make(ConditionKeyMap)
+	downloadUploadCondKeyMap.Add("s3:prefix", set.CreateStringSet("both"))
+	downloadUploadCondMap.Add("StringEquals", downloadUploadCondKeyMap)
+
+	testCases := []struct {
+		statements     []Statement
+		bucketName     string
+		prefix         string
+		expectedResult map[string]BucketPolicy
+	}{
+		// Empty statements, bucket name and prefix.
+		{[]Statement{}, "", "", map[string]BucketPolicy{}},
+		// Non-empty statements, empty bucket name and empty prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "", "", map[string]BucketPolicy{}},
+		// Empty statements, non-empty bucket name and empty prefix.
+		{[]Statement{}, "mybucket", "", map[string]BucketPolicy{}},
+		// Readonly object statement
+		{[]Statement{
+			{
+				Actions:   commonBucketActions,
+				Effect:    "Allow",
+				Principal: User{AWS: set.CreateStringSet("*")},
+				Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+			},
+			{
+				Actions:    readOnlyBucketActions,
+				Effect:     "Allow",
+				Principal:  User{AWS: set.CreateStringSet("*")},
+				Conditions: downloadCondMap,
+				Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+			},
+			{
+				Actions:   readOnlyObjectActions,
+				Effect:    "Allow",
+				Principal: User{AWS: set.CreateStringSet("*")},
+				Resources: set.CreateStringSet("arn:aws:s3:::mybucket/download*"),
+			}}, "mybucket", "", map[string]BucketPolicy{"mybucket/download*": BucketPolicyReadOnly}},
+		// Write Only
+		{[]Statement{
+			{
+				Actions:   commonBucketActions.Union(writeOnlyBucketActions),
+				Effect:    "Allow",
+				Principal: User{AWS: set.CreateStringSet("*")},
+				Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+			},
+			{
+				Actions:   writeOnlyObjectActions,
+				Effect:    "Allow",
+				Principal: User{AWS: set.CreateStringSet("*")},
+				Resources: set.CreateStringSet("arn:aws:s3:::mybucket/upload*"),
+			}}, "mybucket", "", map[string]BucketPolicy{"mybucket/upload*": BucketPolicyWriteOnly}},
+		// Readwrite
+		{[]Statement{
+			{
+				Actions:   commonBucketActions.Union(writeOnlyBucketActions),
+				Effect:    "Allow",
+				Principal: User{AWS: set.CreateStringSet("*")},
+				Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+			},
+			{
+				Actions:    readOnlyBucketActions,
+				Effect:     "Allow",
+				Principal:  User{AWS: set.CreateStringSet("*")},
+				Conditions: downloadUploadCondMap,
+				Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+			},
+			{
+				Actions:   writeOnlyObjectActions.Union(readOnlyObjectActions),
+				Effect:    "Allow",
+				Principal: User{AWS: set.CreateStringSet("*")},
+				Resources: set.CreateStringSet("arn:aws:s3:::mybucket/both*"),
+			}}, "mybucket", "", map[string]BucketPolicy{"mybucket/both*": BucketPolicyReadWrite}},
+	}
+
+	for _, testCase := range testCases {
+		policyRules := GetPolicies(testCase.statements, testCase.bucketName)
+		if !reflect.DeepEqual(testCase.expectedResult, policyRules) {
+			t.Fatalf("%+v:\n expected: %+v, got: %+v", testCase, testCase.expectedResult, policyRules)
+		}
+	}
+}
+
+// GetPolicy() is called and the result is validated.
+func TestGetPolicy(t *testing.T) {
+	helloCondMap := make(ConditionMap)
+	helloCondKeyMap := make(ConditionKeyMap)
+	helloCondKeyMap.Add("s3:prefix", set.CreateStringSet("hello"))
+	helloCondMap.Add("StringEquals", helloCondKeyMap)
+
+	testCases := []struct {
+		statements     []Statement
+		bucketName     string
+		prefix         string
+		expectedResult BucketPolicy
+	}{
+		// Empty statements, bucket name and prefix.
+		{[]Statement{}, "", "", BucketPolicyNone},
+		// Non-empty statements, empty bucket name and empty prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "", "", BucketPolicyNone},
+		// Empty statements, non-empty bucket name and empty prefix.
+		{[]Statement{}, "mybucket", "", BucketPolicyNone},
+		// not-matching Statements.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}}, "mybucket", "", BucketPolicyNone},
+		// not-matching Statements with prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}}, "mybucket", "hello", BucketPolicyNone},
+		// Statements with only commonBucketActions.
+		{[]Statement{{
+			Actions:   commonBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", BucketPolicyNone},
+		// Statements with only commonBucketActions with prefix.
+		{[]Statement{{
+			Actions:   commonBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", BucketPolicyNone},
+		// Statements with only readOnlyBucketActions.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", BucketPolicyNone},
+		// Statements with only readOnlyBucketActions with prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", BucketPolicyNone},
+		// Statements with only readOnlyBucketActions with conditions.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: helloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", BucketPolicyNone},
+		// Statements with only readOnlyBucketActions with prefix with conditons.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: helloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", BucketPolicyNone},
+		// Statements with only writeOnlyBucketActions.
+		{[]Statement{{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", BucketPolicyNone},
+		// Statements with only writeOnlyBucketActions with prefix.
+		{[]Statement{{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", BucketPolicyNone},
+		// Statements with only readOnlyBucketActions + writeOnlyBucketActions.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", BucketPolicyNone},
+		// Statements with only readOnlyBucketActions + writeOnlyBucketActions with prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", BucketPolicyNone},
+		// Statements with only readOnlyBucketActions + writeOnlyBucketActions and conditions.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: helloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "", BucketPolicyNone},
+		// Statements with only readOnlyBucketActions + writeOnlyBucketActions and conditions with prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions.Union(writeOnlyBucketActions),
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: helloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, "mybucket", "hello", BucketPolicyNone},
+	}
+
+	for _, testCase := range testCases {
+		policy := GetPolicy(testCase.statements, testCase.bucketName, testCase.prefix)
+		if testCase.expectedResult != policy {
+			t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, policy)
+		}
+	}
+}
+
+// SetPolicy() is called and the result is validated.
+func TestSetPolicy(t *testing.T) {
+	helloCondMap := make(ConditionMap)
+	helloCondKeyMap := make(ConditionKeyMap)
+	helloCondKeyMap.Add("s3:prefix", set.CreateStringSet("hello"))
+	helloCondMap.Add("StringEquals", helloCondKeyMap)
+
+	testCases := []struct {
+		statements     []Statement
+		policy         BucketPolicy
+		bucketName     string
+		prefix         string
+		expectedResult string
+	}{
+		// BucketPolicyNone - empty statements, bucket name and prefix.
+		{[]Statement{}, BucketPolicyNone, "", "", `[]`},
+		// BucketPolicyNone - non-empty statements, bucket name and prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, BucketPolicyNone, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""}]`},
+		// BucketPolicyNone - empty statements, non-empty bucket name and prefix.
+		{[]Statement{}, BucketPolicyNone, "mybucket", "", `[]`},
+		// BucketPolicyNone - empty statements, bucket name and non-empty prefix.
+		{[]Statement{}, BucketPolicyNone, "", "hello", `[]`},
+		// BucketPolicyReadOnly - empty statements, bucket name and prefix.
+		{[]Statement{}, BucketPolicyReadOnly, "", "", `[]`},
+		// BucketPolicyReadOnly - non-empty statements, bucket name and prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}}, BucketPolicyReadOnly, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+		// BucketPolicyReadOnly - empty statements, non-empty bucket name and prefix.
+		{[]Statement{}, BucketPolicyReadOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+		// BucketPolicyReadOnly - empty statements, bucket name and non-empty prefix.
+		{[]Statement{}, BucketPolicyReadOnly, "", "hello", `[]`},
+		// BucketPolicyReadOnly - empty statements, non-empty bucket name and non-empty prefix.
+		{[]Statement{}, BucketPolicyReadOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// BucketPolicyWriteOnly - empty statements, bucket name and prefix.
+		{[]Statement{}, BucketPolicyReadOnly, "", "", `[]`},
+		// BucketPolicyWriteOnly - non-empty statements, bucket name and prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}}, BucketPolicyWriteOnly, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+		// BucketPolicyWriteOnly - empty statements, non-empty bucket name and prefix.
+		{[]Statement{}, BucketPolicyWriteOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+		// BucketPolicyWriteOnly - empty statements, bucket name and non-empty prefix.
+		{[]Statement{}, BucketPolicyWriteOnly, "", "hello", `[]`},
+		// BucketPolicyWriteOnly - empty statements, non-empty bucket name and non-empty prefix.
+		{[]Statement{}, BucketPolicyWriteOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// BucketPolicyReadWrite - empty statements, bucket name and prefix.
+		{[]Statement{}, BucketPolicyReadWrite, "", "", `[]`},
+		// BucketPolicyReadWrite - non-empty statements, bucket name and prefix.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::testbucket"),
+		}}, BucketPolicyReadWrite, "", "", `[{"Action":["s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::testbucket"],"Sid":""}]`},
+		// BucketPolicyReadWrite - empty statements, non-empty bucket name and prefix.
+		{[]Statement{}, BucketPolicyReadWrite, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+		// BucketPolicyReadWrite - empty statements, bucket name and non-empty prefix.
+		{[]Statement{}, BucketPolicyReadWrite, "", "hello", `[]`},
+		// BucketPolicyReadWrite - empty statements, non-empty bucket name and non-empty prefix.
+		{[]Statement{}, BucketPolicyReadWrite, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// Set readonly.
+		{[]Statement{{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, BucketPolicyReadOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucket"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+		// Set readonly with prefix.
+		{[]Statement{{
+			Actions:   writeOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, BucketPolicyReadOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:GetObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+		// Set writeonly.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, BucketPolicyWriteOnly, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+		// Set writeonly with prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: helloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, BucketPolicyWriteOnly, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+
+		// Set readwrite.
+		{[]Statement{{
+			Actions:   readOnlyBucketActions,
+			Effect:    "Allow",
+			Principal: User{AWS: set.CreateStringSet("*")},
+			Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, BucketPolicyReadWrite, "mybucket", "", `[{"Action":["s3:GetBucketLocation","s3:ListBucket","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/*"],"Sid":""}]`},
+		// Set readwrite with prefix.
+		{[]Statement{{
+			Actions:    readOnlyBucketActions,
+			Effect:     "Allow",
+			Principal:  User{AWS: set.CreateStringSet("*")},
+			Conditions: helloCondMap,
+			Resources:  set.CreateStringSet("arn:aws:s3:::mybucket"),
+		}}, BucketPolicyReadWrite, "mybucket", "hello", `[{"Action":["s3:GetBucketLocation","s3:ListBucketMultipartUploads"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:ListBucket"],"Condition":{"StringEquals":{"s3:prefix":["hello"]}},"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket"],"Sid":""},{"Action":["s3:AbortMultipartUpload","s3:DeleteObject","s3:GetObject","s3:ListMultipartUploadParts","s3:PutObject"],"Effect":"Allow","Principal":{"AWS":["*"]},"Resource":["arn:aws:s3:::mybucket/hello*"],"Sid":""}]`},
+	}
+
+	for _, testCase := range testCases {
+		statements := SetPolicy(testCase.statements, testCase.policy, testCase.bucketName, testCase.prefix)
+		if data, err := json.Marshal(statements); err != nil {
+			t.Fatalf("unable encoding to json, %s", err)
+		} else if string(data) != testCase.expectedResult {
+			t.Fatalf("%+v: expected: %s, got: %s", testCase, testCase.expectedResult, string(data))
+		}
+	}
+}
+
+// Validates bucket policy string.
+func TestIsValidBucketPolicy(t *testing.T) {
+	testCases := []struct {
+		inputPolicy    BucketPolicy
+		expectedResult bool
+	}{
+		// valid inputs.
+		{BucketPolicy("none"), true},
+		{BucketPolicy("readonly"), true},
+		{BucketPolicy("readwrite"), true},
+		{BucketPolicy("writeonly"), true},
+		// invalid input.
+		{BucketPolicy("readwriteonly"), false},
+		{BucketPolicy("writeread"), false},
+	}
+
+	for i, testCase := range testCases {
+		actualResult := testCase.inputPolicy.IsValidBucketPolicy()
+		if testCase.expectedResult != actualResult {
+			t.Errorf("Test %d: Expected IsValidBucket policy to be '%v' for policy \"%s\", but instead found it to be '%v'", i+1, testCase.expectedResult, testCase.inputPolicy, actualResult)
+		}
+	}
+}
+
+// Tests validate Bucket policy resource matcher.
+func TestBucketPolicyResourceMatch(t *testing.T) {
+
+	// generates\ statement with given resource..
+	generateStatement := func(resource string) Statement {
+		statement := Statement{}
+		statement.Resources = set.CreateStringSet(resource)
+		return statement
+	}
+
+	// generates resource prefix.
+	generateResource := func(bucketName, objectName string) string {
+		return awsResourcePrefix + bucketName + "/" + objectName
+	}
+
+	testCases := []struct {
+		resourceToMatch       string
+		statement             Statement
+		expectedResourceMatch bool
+	}{
+		// Test case 1-4.
+		// Policy with resource ending with bucket/* allows access to all objects inside the given bucket.
+		{generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/*")), true},
+		{generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/*")), true},
+		{generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/*")), true},
+		{generateResource("minio-bucket", ""), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/*")), true},
+		// Test case - 5.
+		// Policy with resource ending with bucket/oo* should not allow access to bucket/output.txt.
+		{generateResource("minio-bucket", "output.txt"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/oo*")), false},
+		// Test case - 6.
+		// Policy with resource ending with bucket/oo* should allow access to bucket/ootput.txt.
+		{generateResource("minio-bucket", "ootput.txt"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/oo*")), true},
+		// Test case - 7.
+		// Policy with resource ending with bucket/oo* allows access to all subfolders starting with "oo" inside given bucket.
+		{generateResource("minio-bucket", "oop-bucket/my-file"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/oo*")), true},
+		// Test case - 8.
+		{generateResource("minio-bucket", "Asia/India/1.pjg"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/Asia/Japan/*")), false},
+		// Test case - 9.
+		{generateResource("minio-bucket", "Asia/India/1.pjg"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix, "minio-bucket"+"/Asia/Japan/*")), false},
+		// Test case - 10.
+		// Proves that the name space is flat.
+		{generateResource("minio-bucket", "Africa/Bihar/India/design_info.doc/Bihar"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix,
+			"minio-bucket"+"/*/India/*/Bihar")), true},
+		// Test case - 11.
+		// Proves that the name space is flat.
+		{generateResource("minio-bucket", "Asia/China/India/States/Bihar/output.txt"), generateStatement(fmt.Sprintf("%s%s", awsResourcePrefix,
+			"minio-bucket"+"/*/India/*/Bihar/*")), true},
+	}
+	for i, testCase := range testCases {
+		resources := testCase.statement.Resources.FuncMatch(resourceMatch, testCase.resourceToMatch)
+		actualResourceMatch := resources.Equals(testCase.statement.Resources)
+		if testCase.expectedResourceMatch != actualResourceMatch {
+			t.Errorf("Test %d: Expected Resource match to be `%v`, but instead found it to be `%v`", i+1, testCase.expectedResourceMatch, actualResourceMatch)
+		}
+	}
+}
diff --git a/pkg/set/stringset.go b/pkg/set/stringset.go
new file mode 100644
index 0000000..55084d4
--- /dev/null
+++ b/pkg/set/stringset.go
@@ -0,0 +1,196 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2016 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package set
+
+import (
+	"encoding/json"
+	"fmt"
+	"sort"
+)
+
+// StringSet - uses map as set of strings.
+type StringSet map[string]struct{}
+
+// keys - returns StringSet keys.
+func (set StringSet) keys() []string {
+	keys := make([]string, 0, len(set))
+	for k := range set {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+// IsEmpty - returns whether the set is empty or not.
+func (set StringSet) IsEmpty() bool {
+	return len(set) == 0
+}
+
+// Add - adds string to the set.
+func (set StringSet) Add(s string) {
+	set[s] = struct{}{}
+}
+
+// Remove - removes string in the set.  It does nothing if string does not exist in the set.
+func (set StringSet) Remove(s string) {
+	delete(set, s)
+}
+
+// Contains - checks if string is in the set.
+func (set StringSet) Contains(s string) bool {
+	_, ok := set[s]
+	return ok
+}
+
+// FuncMatch - returns new set containing each value who passes match function.
+// A 'matchFn' should accept element in a set as first argument and
+// 'matchString' as second argument.  The function can do any logic to
+// compare both the arguments and should return true to accept element in
+// a set to include in output set else the element is ignored.
+func (set StringSet) FuncMatch(matchFn func(string, string) bool, matchString string) StringSet {
+	nset := NewStringSet()
+	for k := range set {
+		if matchFn(k, matchString) {
+			nset.Add(k)
+		}
+	}
+	return nset
+}
+
+// ApplyFunc - returns new set containing each value processed by 'applyFn'.
+// A 'applyFn' should accept element in a set as a argument and return
+// a processed string.  The function can do any logic to return a processed
+// string.
+func (set StringSet) ApplyFunc(applyFn func(string) string) StringSet {
+	nset := NewStringSet()
+	for k := range set {
+		nset.Add(applyFn(k))
+	}
+	return nset
+}
+
+// Equals - checks whether given set is equal to current set or not.
+func (set StringSet) Equals(sset StringSet) bool {
+	// If length of set is not equal to length of given set, the
+	// set is not equal to given set.
+	if len(set) != len(sset) {
+		return false
+	}
+
+	// As both sets are equal in length, check each elements are equal.
+	for k := range set {
+		if _, ok := sset[k]; !ok {
+			return false
+		}
+	}
+
+	return true
+}
+
+// Intersection - returns the intersection with given set as new set.
+func (set StringSet) Intersection(sset StringSet) StringSet {
+	nset := NewStringSet()
+	for k := range set {
+		if _, ok := sset[k]; ok {
+			nset.Add(k)
+		}
+	}
+
+	return nset
+}
+
+// Difference - returns the difference with given set as new set.
+func (set StringSet) Difference(sset StringSet) StringSet {
+	nset := NewStringSet()
+	for k := range set {
+		if _, ok := sset[k]; !ok {
+			nset.Add(k)
+		}
+	}
+
+	return nset
+}
+
+// Union - returns the union with given set as new set.
+func (set StringSet) Union(sset StringSet) StringSet {
+	nset := NewStringSet()
+	for k := range set {
+		nset.Add(k)
+	}
+
+	for k := range sset {
+		nset.Add(k)
+	}
+
+	return nset
+}
+
+// MarshalJSON - converts to JSON data.
+func (set StringSet) MarshalJSON() ([]byte, error) {
+	return json.Marshal(set.keys())
+}
+
+// UnmarshalJSON - parses JSON data and creates new set with it.
+// If 'data' contains JSON string array, the set contains each string.
+// If 'data' contains JSON string, the set contains the string as one element.
+// If 'data' contains Other JSON types, JSON parse error is returned.
+func (set *StringSet) UnmarshalJSON(data []byte) error {
+	sl := []string{}
+	var err error
+	if err = json.Unmarshal(data, &sl); err == nil {
+		*set = make(StringSet)
+		for _, s := range sl {
+			set.Add(s)
+		}
+	} else {
+		var s string
+		if err = json.Unmarshal(data, &s); err == nil {
+			*set = make(StringSet)
+			set.Add(s)
+		}
+	}
+
+	return err
+}
+
+// String - returns printable string of the set.
+func (set StringSet) String() string {
+	return fmt.Sprintf("%s", set.keys())
+}
+
+// NewStringSet - creates new string set.
+func NewStringSet() StringSet {
+	return make(StringSet)
+}
+
+// CreateStringSet - creates new string set with given string values.
+func CreateStringSet(sl ...string) StringSet {
+	set := make(StringSet)
+	for _, k := range sl {
+		set.Add(k)
+	}
+	return set
+}
+
+// CopyStringSet - returns copy of given set.
+func CopyStringSet(set StringSet) StringSet {
+	nset := NewStringSet()
+	for k, v := range set {
+		nset[k] = v
+	}
+	return nset
+}
diff --git a/pkg/set/stringset_test.go b/pkg/set/stringset_test.go
new file mode 100644
index 0000000..4b74e70
--- /dev/null
+++ b/pkg/set/stringset_test.go
@@ -0,0 +1,322 @@
+/*
+ * Minio Go Library for Amazon S3 Compatible Cloud Storage (C) 2016 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package set
+
+import (
+	"strings"
+	"testing"
+)
+
+// NewStringSet() is called and the result is validated.
+func TestNewStringSet(t *testing.T) {
+	if ss := NewStringSet(); !ss.IsEmpty() {
+		t.Fatalf("expected: true, got: false")
+	}
+}
+
+// CreateStringSet() is called and the result is validated.
+func TestCreateStringSet(t *testing.T) {
+	ss := CreateStringSet("foo")
+	if str := ss.String(); str != `[foo]` {
+		t.Fatalf("expected: %s, got: %s", `["foo"]`, str)
+	}
+}
+
+// CopyStringSet() is called and the result is validated.
+func TestCopyStringSet(t *testing.T) {
+	ss := CreateStringSet("foo")
+	sscopy := CopyStringSet(ss)
+	if !ss.Equals(sscopy) {
+		t.Fatalf("expected: %s, got: %s", ss, sscopy)
+	}
+}
+
+// StringSet.Add() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetAdd(t *testing.T) {
+	testCases := []struct {
+		value          string
+		expectedResult string
+	}{
+		// Test first addition.
+		{"foo", `[foo]`},
+		// Test duplicate addition.
+		{"foo", `[foo]`},
+		// Test new addition.
+		{"bar", `[bar foo]`},
+	}
+
+	ss := NewStringSet()
+	for _, testCase := range testCases {
+		ss.Add(testCase.value)
+		if str := ss.String(); str != testCase.expectedResult {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, str)
+		}
+	}
+}
+
+// StringSet.Remove() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetRemove(t *testing.T) {
+	ss := CreateStringSet("foo", "bar")
+	testCases := []struct {
+		value          string
+		expectedResult string
+	}{
+		// Test removing non-existen item.
+		{"baz", `[bar foo]`},
+		// Test remove existing item.
+		{"foo", `[bar]`},
+		// Test remove existing item again.
+		{"foo", `[bar]`},
+		// Test remove to make set to empty.
+		{"bar", `[]`},
+	}
+
+	for _, testCase := range testCases {
+		ss.Remove(testCase.value)
+		if str := ss.String(); str != testCase.expectedResult {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, str)
+		}
+	}
+}
+
+// StringSet.Contains() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetContains(t *testing.T) {
+	ss := CreateStringSet("foo")
+	testCases := []struct {
+		value          string
+		expectedResult bool
+	}{
+		// Test to check non-existent item.
+		{"bar", false},
+		// Test to check existent item.
+		{"foo", true},
+		// Test to verify case sensitivity.
+		{"Foo", false},
+	}
+
+	for _, testCase := range testCases {
+		if result := ss.Contains(testCase.value); result != testCase.expectedResult {
+			t.Fatalf("expected: %t, got: %t", testCase.expectedResult, result)
+		}
+	}
+}
+
+// StringSet.FuncMatch() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetFuncMatch(t *testing.T) {
+	ss := CreateStringSet("foo", "bar")
+	testCases := []struct {
+		matchFn        func(string, string) bool
+		value          string
+		expectedResult string
+	}{
+		// Test to check match function doing case insensive compare.
+		{func(setValue string, compareValue string) bool {
+			return strings.ToUpper(setValue) == strings.ToUpper(compareValue)
+		}, "Bar", `[bar]`},
+		// Test to check match function doing prefix check.
+		{func(setValue string, compareValue string) bool {
+			return strings.HasPrefix(compareValue, setValue)
+		}, "foobar", `[foo]`},
+	}
+
+	for _, testCase := range testCases {
+		s := ss.FuncMatch(testCase.matchFn, testCase.value)
+		if result := s.String(); result != testCase.expectedResult {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, result)
+		}
+	}
+}
+
+// StringSet.ApplyFunc() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetApplyFunc(t *testing.T) {
+	ss := CreateStringSet("foo", "bar")
+	testCases := []struct {
+		applyFn        func(string) string
+		expectedResult string
+	}{
+		// Test to apply function prepending a known string.
+		{func(setValue string) string { return "mybucket/" + setValue }, `[mybucket/bar mybucket/foo]`},
+		// Test to apply function modifying values.
+		{func(setValue string) string { return setValue[1:] }, `[ar oo]`},
+	}
+
+	for _, testCase := range testCases {
+		s := ss.ApplyFunc(testCase.applyFn)
+		if result := s.String(); result != testCase.expectedResult {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, result)
+		}
+	}
+}
+
+// StringSet.Equals() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetEquals(t *testing.T) {
+	testCases := []struct {
+		set1           StringSet
+		set2           StringSet
+		expectedResult bool
+	}{
+		// Test equal set
+		{CreateStringSet("foo", "bar"), CreateStringSet("foo", "bar"), true},
+		// Test second set with more items
+		{CreateStringSet("foo", "bar"), CreateStringSet("foo", "bar", "baz"), false},
+		// Test second set with less items
+		{CreateStringSet("foo", "bar"), CreateStringSet("bar"), false},
+	}
+
+	for _, testCase := range testCases {
+		if result := testCase.set1.Equals(testCase.set2); result != testCase.expectedResult {
+			t.Fatalf("expected: %t, got: %t", testCase.expectedResult, result)
+		}
+	}
+}
+
+// StringSet.Intersection() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetIntersection(t *testing.T) {
+	testCases := []struct {
+		set1           StringSet
+		set2           StringSet
+		expectedResult StringSet
+	}{
+		// Test intersecting all values.
+		{CreateStringSet("foo", "bar"), CreateStringSet("foo", "bar"), CreateStringSet("foo", "bar")},
+		// Test intersecting all values in second set.
+		{CreateStringSet("foo", "bar", "baz"), CreateStringSet("foo", "bar"), CreateStringSet("foo", "bar")},
+		// Test intersecting different values in second set.
+		{CreateStringSet("foo", "baz"), CreateStringSet("baz", "bar"), CreateStringSet("baz")},
+		// Test intersecting none.
+		{CreateStringSet("foo", "baz"), CreateStringSet("poo", "bar"), NewStringSet()},
+	}
+
+	for _, testCase := range testCases {
+		if result := testCase.set1.Intersection(testCase.set2); !result.Equals(testCase.expectedResult) {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, result)
+		}
+	}
+}
+
+// StringSet.Difference() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetDifference(t *testing.T) {
+	testCases := []struct {
+		set1           StringSet
+		set2           StringSet
+		expectedResult StringSet
+	}{
+		// Test differing none.
+		{CreateStringSet("foo", "bar"), CreateStringSet("foo", "bar"), NewStringSet()},
+		// Test differing in first set.
+		{CreateStringSet("foo", "bar", "baz"), CreateStringSet("foo", "bar"), CreateStringSet("baz")},
+		// Test differing values in both set.
+		{CreateStringSet("foo", "baz"), CreateStringSet("baz", "bar"), CreateStringSet("foo")},
+		// Test differing all values.
+		{CreateStringSet("foo", "baz"), CreateStringSet("poo", "bar"), CreateStringSet("foo", "baz")},
+	}
+
+	for _, testCase := range testCases {
+		if result := testCase.set1.Difference(testCase.set2); !result.Equals(testCase.expectedResult) {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, result)
+		}
+	}
+}
+
+// StringSet.Union() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetUnion(t *testing.T) {
+	testCases := []struct {
+		set1           StringSet
+		set2           StringSet
+		expectedResult StringSet
+	}{
+		// Test union same values.
+		{CreateStringSet("foo", "bar"), CreateStringSet("foo", "bar"), CreateStringSet("foo", "bar")},
+		// Test union same values in second set.
+		{CreateStringSet("foo", "bar", "baz"), CreateStringSet("foo", "bar"), CreateStringSet("foo", "bar", "baz")},
+		// Test union different values in both set.
+		{CreateStringSet("foo", "baz"), CreateStringSet("baz", "bar"), CreateStringSet("foo", "baz", "bar")},
+		// Test union all different values.
+		{CreateStringSet("foo", "baz"), CreateStringSet("poo", "bar"), CreateStringSet("foo", "baz", "poo", "bar")},
+	}
+
+	for _, testCase := range testCases {
+		if result := testCase.set1.Union(testCase.set2); !result.Equals(testCase.expectedResult) {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, result)
+		}
+	}
+}
+
+// StringSet.MarshalJSON() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetMarshalJSON(t *testing.T) {
+	testCases := []struct {
+		set            StringSet
+		expectedResult string
+	}{
+		// Test set with values.
+		{CreateStringSet("foo", "bar"), `["bar","foo"]`},
+		// Test empty set.
+		{NewStringSet(), "[]"},
+	}
+
+	for _, testCase := range testCases {
+		if result, _ := testCase.set.MarshalJSON(); string(result) != testCase.expectedResult {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, string(result))
+		}
+	}
+}
+
+// StringSet.UnmarshalJSON() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetUnmarshalJSON(t *testing.T) {
+	testCases := []struct {
+		data           []byte
+		expectedResult string
+	}{
+		// Test to convert JSON array to set.
+		{[]byte(`["bar","foo"]`), `[bar foo]`},
+		// Test to convert JSON string to set.
+		{[]byte(`"bar"`), `[bar]`},
+		// Test to convert JSON empty array to set.
+		{[]byte(`[]`), `[]`},
+		// Test to convert JSON empty string to set.
+		{[]byte(`""`), `[]`},
+	}
+
+	for _, testCase := range testCases {
+		var set StringSet
+		set.UnmarshalJSON(testCase.data)
+		if result := set.String(); result != testCase.expectedResult {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, result)
+		}
+	}
+}
+
+// StringSet.String() is called with series of cases for valid and erroneous inputs and the result is validated.
+func TestStringSetString(t *testing.T) {
+	testCases := []struct {
+		set            StringSet
+		expectedResult string
+	}{
+		// Test empty set.
+		{NewStringSet(), `[]`},
+		// Test set with empty value.
+		{CreateStringSet(""), `[]`},
+		// Test set with value.
+		{CreateStringSet("foo"), `[foo]`},
+	}
+
+	for _, testCase := range testCases {
+		if str := testCase.set.String(); str != testCase.expectedResult {
+			t.Fatalf("expected: %s, got: %s", testCase.expectedResult, str)
+		}
+	}
+}