fix: treat blank env credentials as missing (#1272)

references = ["aws-sdk-rust#490"]

meta = { "breaking" = true, "tada" = false, "bug" = false }

author = "Velfi"

[[aws-sdk-rust]]

message = "Treat blank environment variable credentials (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`) as missing instead of attempting to use them to sign requests."

references = ["aws-sdk-rust#1271"]

meta = { "breaking" = false, "tada" = false, "bug" = true }

author = "elrob"

    make_test!(web_identity_token_profile);

    make_test!(profile_name);

    make_test!(profile_overrides_web_identity);

    make_test!(environment_variables_blank);

    make_test!(imds_token_fail);

    make_test!(imds_no_iam_role);

impl EnvironmentVariableCredentialsProvider {

    fn credentials(&self) -> credentials::Result {

        let access_key = self.env.get("AWS_ACCESS_KEY_ID").map_err(to_cred_error)?;

        let access_key = self

            .env

            .get("AWS_ACCESS_KEY_ID")

            .and_then(err_if_blank)

            .map_err(to_cred_error)?;

        let secret_key = self

            .env

            .get("AWS_SECRET_ACCESS_KEY")

            .and_then(err_if_blank)

            .or_else(|_| self.env.get("SECRET_ACCESS_KEY"))

            .and_then(err_if_blank)

            .map_err(to_cred_error)?;

        let session_token = self

            .env

    }

}

fn err_if_blank(value: String) -> Result<String, VarError> {

    if value.trim().is_empty() {

        Err(VarError::NotPresent)

    } else {

        Ok(value)

    }

}

#[cfg(test)]

mod test {

    use aws_types::credentials::{CredentialsError, ProvideCredentials};

        assert_eq!(creds.secret_access_key(), "secret");

    }

    #[test]

    fn secret_key_fallback_empty() {

        let provider = make_provider(&[

            ("AWS_ACCESS_KEY_ID", "access"),

            ("AWS_SECRET_ACCESS_KEY", " "),

            ("SECRET_ACCESS_KEY", "secret"),

            ("AWS_SESSION_TOKEN", "token"),

        ]);

        let creds = provider

            .provide_credentials()

            .now_or_never()

            .unwrap()

            .expect("valid credentials");

        assert_eq!(creds.session_token().unwrap(), "token");

        assert_eq!(creds.access_key_id(), "access");

        assert_eq!(creds.secret_access_key(), "secret");

    }

    #[test]

    fn missing() {

        let provider = make_provider(&[]);

        assert!(matches!(err, CredentialsError::CredentialsNotLoaded { .. }));

    }

    #[test]

    fn empty_keys_env_vars() {

        for [access_key_value, secret_key_value] in &[

            &["", ""],

            &[" ", ""],

            &["access", ""],

            &["", " "],

            &[" ", " "],

            &["access", " "],

            &["", "secret"],

            &[" ", "secret"],

        ] {

            let provider = make_provider(&[

                ("AWS_ACCESS_KEY_ID", access_key_value),

                ("AWS_SECRET_ACCESS_KEY", secret_key_value),

            ]);

            let err = provider

                .provide_credentials()

                .now_or_never()

                .unwrap()

                .expect_err("no credentials defined");

            assert!(matches!(err, CredentialsError::CredentialsNotLoaded { .. }));

        }

    }

    #[test]

    fn real_environment() {

        let provider = EnvironmentVariableCredentialsProvider::new();

{

  "HOME": "/home",

  "AWS_ACCESS_KEY_ID": " ",

  "AWS_SECRET_ACCESS_KEY": " ",

  "AWS_PROFILE": "some_profile"

}

[default]

region = us-east-1

aws_access_key_id = incorrect_key

aws_secret_access_key = incorrect_secret

[profile some_profile]

region = us-east-2

aws_access_key_id = correct_key

aws_secret_access_key = correct_secret