Context

All other auth mechanisms that require the auth source is "$external" validate that the auth source is either unspecified or "$external":

• GSSAPI
• MONGODB-AWS
• MONGODB-OIDC as of this PR

MONGODB-X509 requires that the auth source is "$external", but does not validate it anywhere. MONGODB-X509 always uses auth source "$external" independent of the user input, so it works correctly, but may confuse users who try to specify a different auth source (which has no effect). For consistency, we should perform the same validation for all auth sources that require auth source "$external".

Definition of done

• Add a validation that the auth source is either unspecified (i.e. empty string) or "$external" in newMongoDBX509Authenticator. Similar to the validation in newMongoDBAWSAuthenticator.

Pitfalls

Users may start getting client initialization errors when they didn't previously with the same config. For that reason, we should only do this in a major version release.