Ensure comment is always a valid key (#8604)

Also fix LDAP leaky connection

cmd/config/config.go

@@ -399,6 +399,12 @@ func LookupRegion(kv KVS) (string, error) {
 func CheckValidKeys(subSys string, kv KVS, validKVS KVS) error {
 	nkv := KVS{}
 	for _, kv := range kv {
+		// Comment is a valid key, its also fully optional
+		// ignore it since it is a valid key for all
+		// sub-systems.
+		if kv.Key == Comment {
+			continue
+		}
 		if _, ok := validKVS.Lookup(kv.Key); !ok {
 			nkv = append(nkv, kv)
 		}
@@ -557,23 +563,19 @@ func (c Config) SetKVS(s string, defaultKVS map[string]KVS) error {
 			continue
 		}
 		if len(kv) == 1 && prevK != "" {
-			kvs = append(kvs, KV{
+			value := strings.Join([]string{
-				Key: prevK,
+				kvs.Get(prevK),
-				Value: strings.Join([]string{
+				madmin.SanitizeValue(kv[0]),
-					kvs.Get(prevK),
+			}, KvSpaceSeparator)
-					madmin.SanitizeValue(kv[0]),
+			kvs.Set(prevK, value)
-				}, KvSpaceSeparator),
-			})
 			continue
 		}
-		if len(kv) == 1 {
+		if len(kv) == 2 {
-			return Errorf(SafeModeKind, "key '%s', cannot have empty value", kv[0])
+			prevK = kv[0]
+			kvs.Set(prevK, madmin.SanitizeValue(kv[1]))
+			continue
 		}
-		prevK = kv[0]
+		return Errorf(SafeModeKind, "key '%s', cannot have empty value", kv[0])
-		kvs = append(kvs, KV{
-			Key:   kv[0],
-			Value: madmin.SanitizeValue(kv[1]),
-		})
 	}
 
 	tgt := Default
@@ -587,25 +589,27 @@ func (c Config) SetKVS(s string, defaultKVS map[string]KVS) error {
 	_, defaultOk := defaultKVS[subSys].Lookup(Enable)
 	if !ok && defaultOk {
 		// implicit state "on" if not specified.
-		kvs = append(kvs, KV{
+		kvs.Set(Enable, EnableOn)
-			Key:   Enable,
-			Value: EnableOn,
-		})
 	}
 
-	currKVS := c[subSys][tgt]
+	currKVS, ok := c[subSys][tgt]
+	if !ok {
+		currKVS = defaultKVS[subSys]
+	}
 
 	for _, kv := range kvs {
+		if kv.Key == Comment {
+			// Skip comment and add it later.
+			continue
+		}
 		currKVS.Set(kv.Key, kv.Value)
 	}
 
-	for _, defaultKV := range defaultKVS[subSys] {
+	v, ok := kvs.Lookup(Comment)
-		_, ok := c[subSys][tgt].Lookup(defaultKV.Key)
+	if ok {
-		if !ok {
+		currKVS.Set(Comment, v)
-			currKVS.Set(defaultKV.Key, defaultKV.Value)
-		}
 	}
 
-	copy(c[subSys][tgt], currKVS)
+	c[subSys][tgt] = currKVS
 	return nil
 }

cmd/sts-handlers.go

@@ -484,6 +484,9 @@ func (sts *stsAPIHandlers) AssumeRoleWithLDAPIdentity(w http.ResponseWriter, r *
 		return
 	}
 
+	// Close ldap connection to avoid leaks.
+	defer ldapConn.Close()
+
 	usernameSubs, _ := xldap.NewSubstituter("username", ldapUsername)
 	// We ignore error below as we already validated the username
 	// format string at startup.

pkg/madmin/parse-kv.go

@@ -40,6 +40,23 @@ func (kvs KVS) Empty() bool {
 	return len(kvs) == 0
 }
 
+// Set sets a value, if not sets a default value.
+func (kvs *KVS) Set(key, value string) {
+	for i, kv := range *kvs {
+		if kv.Key == key {
+			(*kvs)[i] = KV{
+				Key:   key,
+				Value: value,
+			}
+			return
+		}
+	}
+	*kvs = append(*kvs, KV{
+		Key:   key,
+		Value: value,
+	})
+}
+
 // Get - returns the value of a key, if not found returns empty.
 func (kvs KVS) Get(key string) string {
 	v, ok := kvs.Lookup(key)
@@ -174,20 +191,19 @@ func (t *Targets) AddTarget(s string) error {
 			continue
 		}
 		if len(kv) == 1 && prevK != "" {
-			kvs = append(kvs, KV{
+			value := strings.Join([]string{
-				Key:   prevK,
+				kvs.Get(prevK),
-				Value: strings.Join([]string{kvs.Get(prevK), SanitizeValue(kv[0])}, KvSpaceSeparator),
+				SanitizeValue(kv[0]),
-			})
+			}, KvSpaceSeparator)
+			kvs.Set(prevK, value)
 			continue
 		}
-		if len(kv) == 1 {
+		if len(kv) == 2 {
-			return fmt.Errorf("value for key '%s' cannot be empty", kv[0])
+			prevK = kv[0]
+			kvs.Set(prevK, SanitizeValue(kv[1]))
+			continue
 		}
-		prevK = kv[0]
+		return fmt.Errorf("value for key '%s' cannot be empty", kv[0])
-		kvs = append(kvs, KV{
-			Key:   kv[0],
-			Value: SanitizeValue(kv[1]),
-		})
 	}
 
 	for i := range *t {