Extend further validation of config values (#8469)

- This PR allows config KVS to be validated properly
  without being affected by ENV overrides, rejects
  invalid values during set operation

- Expands unit tests and refactors the error handling
  for notification targets, returns error instead of
  ignoring targets for invalid KVS

- Does all the prep-work for implementing safe-mode
  style operation for MinIO server, introduces a new
  global variable to toggle safe mode based operations
  NOTE: this PR itself doesn't provide safe mode operations

cmd/config/etcd/etcd.go

@@ -19,6 +19,7 @@ package etcd
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"strings"
 	"time"
 
@@ -75,6 +76,25 @@ func New(cfg Config) (*clientv3.Client, error) {
 	return clientv3.New(cfg.Config)
 }
 
+func parseEndpoints(endpoints string) ([]string, bool, error) {
+	etcdEndpoints := strings.Split(endpoints, config.ValueSeparator)
+
+	var etcdSecure bool
+	for _, endpoint := range etcdEndpoints {
+		u, err := xnet.ParseHTTPURL(endpoint)
+		if err != nil {
+			return nil, false, err
+		}
+		if etcdSecure && u.Scheme == "http" {
+			return nil, false, fmt.Errorf("all endpoints should be https or http: %s", endpoint)
+		}
+		// If one of the endpoint is https, we will use https directly.
+		etcdSecure = etcdSecure || u.Scheme == "https"
+	}
+
+	return etcdEndpoints, etcdSecure, nil
+}
+
 // LookupConfig - Initialize new etcd config.
 func LookupConfig(kv config.KVS, rootCAs *x509.CertPool) (Config, error) {
 	cfg := Config{}
@@ -96,22 +116,12 @@ func LookupConfig(kv config.KVS, rootCAs *x509.CertPool) (Config, error) {
 		return cfg, nil
 	}
 
-	cfg.Enabled = true
-	etcdEndpoints := strings.Split(endpoints, config.ValueSeparator)
-
-	var etcdSecure bool
-	for _, endpoint := range etcdEndpoints {
-		if endpoint == "" {
-			continue
-		}
-		u, err := xnet.ParseURL(endpoint)
-		if err != nil {
-			return cfg, err
-		}
-		// If one of the endpoint is https, we will use https directly.
-		etcdSecure = etcdSecure || u.Scheme == "https"
+	etcdEndpoints, etcdSecure, err := parseEndpoints(endpoints)
+	if err != nil {
+		return cfg, err
 	}
 
+	cfg.Enabled = true
 	cfg.DialTimeout = defaultDialTimeout
 	cfg.DialKeepAliveTime = defaultDialKeepAlive
 	cfg.Endpoints = etcdEndpoints

cmd/config/etcd/etcd_test.go

@@ -0,0 +1,66 @@
+/*
+ * MinIO Cloud Storage, (C) 2019 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package etcd
+
+import (
+	"reflect"
+	"testing"
+)
+
+// TestParseEndpoints - tests parseEndpoints function with valid and invalid inputs.
+func TestParseEndpoints(t *testing.T) {
+	testCases := []struct {
+		s         string
+		endpoints []string
+		secure    bool
+		success   bool
+	}{
+		// Invalid inputs
+		{"https://localhost:2379,http://localhost:2380", nil, false, false},
+		{",,,", nil, false, false},
+		{"", nil, false, false},
+		{"ftp://localhost:2379", nil, false, false},
+		{"http://localhost:2379000", nil, false, false},
+
+		// Valid inputs
+		{"https://localhost:2379,https://localhost:2380", []string{
+			"https://localhost:2379", "https://localhost:2380"},
+			true, true},
+		{"http://localhost:2379", []string{"http://localhost:2379"}, false, true},
+	}
+
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.s, func(t *testing.T) {
+			endpoints, secure, err := parseEndpoints(testCase.s)
+			if err != nil && testCase.success {
+				t.Errorf("expected to succeed but failed with %s", err)
+			}
+			if !testCase.success && err == nil {
+				t.Error("expected failure but succeeded instead")
+			}
+			if testCase.success {
+				if !reflect.DeepEqual(endpoints, testCase.endpoints) {
+					t.Errorf("expected %s, got %s", testCase.endpoints, endpoints)
+				}
+				if secure != testCase.secure {
+					t.Errorf("expected %t, got %t", testCase.secure, secure)
+				}
+			}
+		})
+	}
+}