CDRIVER-4081 Add support for AssumeRoleWithWebIdentity in AWS Auth

.evergreen/generated_configs/legacy-config.yml

@@ -267,7 +267,12 @@ functions:
             "iam_auth_assume_role_name" : "${iam_auth_assume_role_name}",
             "iam_auth_ec2_instance_account" : "${iam_auth_ec2_instance_account}",
             "iam_auth_ec2_instance_secret_access_key" : "${iam_auth_ec2_instance_secret_access_key}",
-            "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}"
+            "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}",
+            "iam_auth_assume_web_role_name": "${iam_auth_assume_web_role_name}",
+            "iam_web_identity_issuer": "${iam_web_identity_issuer}",
+            "iam_web_identity_rsa_key": "${iam_web_identity_rsa_key}",
+            "iam_web_identity_jwks_uri": "${iam_web_identity_jwks_uri}",
+            "iam_web_identity_token_file": "${iam_web_identity_token_file}"
         }
         EOF
   - command: shell.exec
@@ -2050,6 +2055,57 @@ tasks:
   - func: run aws tests
     vars:
       TESTCASE: ASSUME_ROLE
+- name: test-aws-openssl-assume_role_with_web_identity-latest
+  depends_on:
+    name: debug-compile-aws
+  commands:
+  - func: fetch-build
+    vars:
+      BUILD_NAME: debug-compile-aws
+  - func: fetch-det
+  - func: bootstrap-mongo-orchestration
+    vars:
+      AUTH: auth
+      MONGODB_VERSION: latest
+      ORCHESTRATION_FILE: auth-aws
+      TOPOLOGY: server
+  - func: run aws tests
+    vars:
+      TESTCASE: ASSUME_ROLE_WITH_WEB_IDENTITY
+- name: test-aws-openssl-assume_role_with_web_identity-5.0
+  depends_on:
+    name: debug-compile-aws
+  commands:
+  - func: fetch-build
+    vars:
+      BUILD_NAME: debug-compile-aws
+  - func: fetch-det
+  - func: bootstrap-mongo-orchestration
+    vars:
+      AUTH: auth
+      MONGODB_VERSION: '5.0'
+      ORCHESTRATION_FILE: auth-aws
+      TOPOLOGY: server
+  - func: run aws tests
+    vars:
+      TESTCASE: ASSUME_ROLE_WITH_WEB_IDENTITY
+- name: test-aws-openssl-assume_role_with_web_identity-4.4
+  depends_on:
+    name: debug-compile-aws
+  commands:
+  - func: fetch-build
+    vars:
+      BUILD_NAME: debug-compile-aws
+  - func: fetch-det
+  - func: bootstrap-mongo-orchestration
+    vars:
+      AUTH: auth
+      MONGODB_VERSION: '4.4'
+      ORCHESTRATION_FILE: auth-aws
+      TOPOLOGY: server
+  - func: run aws tests
+    vars:
+      TESTCASE: ASSUME_ROLE_WITH_WEB_IDENTITY
 - name: ocsp-openssl-test_1-rsa-delegate-latest
   tags:
   - ocsp-openssl
@@ -9639,6 +9695,9 @@ buildvariants:
   - test-aws-openssl-ecs-4.4
   - test-aws-openssl-assume_role-4.4
   - test-aws-openssl-lambda-4.4
+  - test-aws-openssl-assume_role_with_web_identity-latest
+  - test-aws-openssl-assume_role_with_web_identity-5.0
+  - test-aws-openssl-assume_role_with_web_identity-4.4
 - name: mongohouse
   display_name: Mongohouse Test
   run_on: ubuntu1804-test

.evergreen/legacy_config_generator/evergreen_config_lib/functions.py

@@ -193,7 +193,12 @@
             "iam_auth_assume_role_name" : "${iam_auth_assume_role_name}",
             "iam_auth_ec2_instance_account" : "${iam_auth_ec2_instance_account}",
             "iam_auth_ec2_instance_secret_access_key" : "${iam_auth_ec2_instance_secret_access_key}",
-            "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}"
+            "iam_auth_ec2_instance_profile" : "${iam_auth_ec2_instance_profile}",
+            "iam_auth_assume_web_role_name": "${iam_auth_assume_web_role_name}",
+            "iam_web_identity_issuer": "${iam_web_identity_issuer}",
+            "iam_web_identity_rsa_key": "${iam_web_identity_rsa_key}",
+            "iam_web_identity_jwks_uri": "${iam_web_identity_jwks_uri}",
+            "iam_web_identity_token_file": "${iam_web_identity_token_file}"
         }
         EOF
         ''', silent=True),

.evergreen/legacy_config_generator/evergreen_config_lib/tasks.py

@@ -826,7 +826,7 @@ def _check_allowed(self):
 
 
 class AWSTestTask(MatrixTask):
-    axes = OD([('testcase', ['regular', 'ec2', 'ecs', 'lambda', 'assume_role']),
+    axes = OD([('testcase', ['regular', 'ec2', 'ecs', 'lambda', 'assume_role', 'assume_role_with_web_identity']),
                ('version', ['latest', '5.0', '4.4'])])
 
     name_prefix = 'test-aws-openssl'

.evergreen/legacy_config_generator/evergreen_config_lib/variants.py

@@ -397,7 +397,10 @@ def days(n):
         'test-aws-openssl-ec2-4.4',
         'test-aws-openssl-ecs-4.4',
         'test-aws-openssl-assume_role-4.4',
-        'test-aws-openssl-lambda-4.4'
+        'test-aws-openssl-lambda-4.4',
+        'test-aws-openssl-assume_role_with_web_identity-latest',
+        'test-aws-openssl-assume_role_with_web_identity-5.0',
+        'test-aws-openssl-assume_role_with_web_identity-4.4',
     ], {'CC': 'clang'}),
     Variant('mongohouse',
             'Mongohouse Test',

.evergreen/scripts/run-aws-tests.sh

@@ -158,5 +158,46 @@ EOF
   exit
 fi
 
+if [[ "${TESTCASE}" == "ASSUME_ROLE_WITH_WEB_IDENTITY" ]]; then
+  echo "===== Testing auth via Web Identity ====="
+  # Do necessary setup.
+  # Create user on $external db.
+  pushd "${drivers_tools_dir}/.evergreen/auth_aws"
+  mongo --verbose aws_e2e_web_identity.js
+  popd # "${drivers_tools_dir}/.evergreen/auth_aws"
+
+  declare iam_auth_assume_web_role_name iam_web_identity_token_file
+  iam_auth_assume_web_role_name="$(jq -r '.iam_auth_assume_web_role_name' "${drivers_tools_dir}/.evergreen/auth_aws/aws_e2e_setup.json")"
+  iam_web_identity_token_file="$(jq -r '.iam_web_identity_token_file' "${drivers_tools_dir}/.evergreen/auth_aws/aws_e2e_setup.json")"
+
+  echo "Valid credentials via Web Identity - should succeed"
+  AWS_ROLE_ARN="${iam_auth_assume_web_role_name}" \
+  AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}" \
+    expect_success "mongodb://localhost/?authMechanism=MONGODB-AWS"
+
+  echo "Valid credentials via Web Identity with session name - should succeed"
+  AWS_ROLE_ARN="${iam_auth_assume_web_role_name}" \
+  AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}" \
+  AWS_ROLE_SESSION_NAME=test \
+    expect_success "mongodb://localhost/?authMechanism=MONGODB-AWS"
+
+  echo "Invalid AWS_ROLE_ARN via Web Identity with session name - should fail"
+  AWS_ROLE_ARN="invalid_role_arn" \
+  AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}" \
+    expect_failure "mongodb://localhost/?authMechanism=MONGODB-AWS"
+
+  echo "Invalid AWS_WEB_IDENTITY_TOKEN_FILE via Web Identity with session name - should fail"
+  AWS_ROLE_ARN="${iam_auth_assume_web_role_name}" \
+  AWS_WEB_IDENTITY_TOKEN_FILE="/invalid/path" \
+    expect_failure "mongodb://localhost/?authMechanism=MONGODB-AWS"
+
+  echo "Invalid AWS_ROLE_SESSION_NAME via Web Identity with session name - should fail"
+  AWS_ROLE_ARN="${iam_auth_assume_web_role_name}" \
+  AWS_WEB_IDENTITY_TOKEN_FILE="${iam_web_identity_token_file}" \
+  AWS_ROLE_SESSION_NAME="contains_invalid_character_^" \
+    expect_failure "mongodb://localhost/?authMechanism=MONGODB-AWS"
+  exit
+fi
+
 echo "Unexpected testcase '${TESTCASE}'" 1>&2
 exit 1

src/libbson/src/bson/bson-string.c

@@ -90,7 +90,9 @@ bson_string_free (bson_string_t *string, /* IN */
 {
    char *ret = NULL;
 
-   BSON_ASSERT (string);
+   if (!string) {
+      return NULL;
+   }
 
    if (!free_segment) {
       ret = string->str;