gravitational · justinas · May 24, 2023 · May 22, 2023 · May 24, 2023 · capnspacehook
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -5195,13 +5195,8 @@ message PluginBearerTokenCredentials {
   // Token is the literal bearer token to be submitted to the 3rd-party API provider.
   string token = 1;
 
-  // TokenFile is a path to the local file containing a bearer token.
-  // This takes precedence over Token, and is currently only used by
-  // OpenAI plugin in Cloud, where by default a Teleport-owned key is used.
-  // This avoids exposing the token itself to the cluster.
-  // The file must exist and be readable on whatever runs the plugin
-  // (in the OpenAI case, it is the Proxy).
-  string token_file = 2;
+  reserved 2; // token_file
+  reserved "token_file";
 }
 
 // PluginList represents a list of plugin resources

diff --git a/api/types/plugin.go b/api/types/plugin.go
@@ -124,8 +124,8 @@ func (p *PluginV1) CheckAndSetDefaults() error {
 		if bearer == nil {
 			return trace.BadParameter("openai plugin must be used with the bearer token credential type")
 		}
-		if (bearer.Token == "") == (bearer.TokenFile == "") {
-			return trace.BadParameter("exactly one of Token and TokenFile must be specified")
+		if bearer.Token == "" {
+			return trace.BadParameter("Token must be specified")
 		}
 	case *PluginSpecV1_Jamf:
 		if settings.Jamf.JamfSpec.ApiEndpoint == "" {
@@ -153,8 +153,8 @@ func (p *PluginV1) CheckAndSetDefaults() error {
 		if bearer == nil {
 			return trace.BadParameter("okta plugin must be used with the bearer token credential type")
 		}
-		if (bearer.Token == "") == (bearer.TokenFile == "") {
-			return trace.BadParameter("exactly one of Token and TokenFile must be specified")
+		if bearer.Token == "" {
+			return trace.BadParameter("Token must be specified")
 		}
 	default:
 		return trace.BadParameter("settings are not set or have an unknown type")

diff --git a/api/types/plugin_test.go b/api/types/plugin_test.go
@@ -99,19 +99,6 @@ func TestPluginOpenAIValidation(t *testing.T) {
 				require.NoError(t, err)
 			},
 		},
-		{
-			name: "valid credentials (token file)",
-			creds: &PluginCredentialsV1{
-				Credentials: &PluginCredentialsV1_BearerToken{
-					BearerToken: &PluginBearerTokenCredentials{
-						TokenFile: "/var/lib/secrets/openai_token",
-					},
-				},
-			},
-			assertErr: func(t require.TestingT, err error, args ...any) {
-				require.NoError(t, err)
-			},
-		},
 	}
 
 	for _, tc := range testCases {
@@ -201,24 +188,6 @@ func TestPluginOktaValidation(t *testing.T) {
 				require.NoError(t, err)
 			},
 		},
-		{
-			name: "valid credentials (token file)",
-			settings: &PluginSpecV1_Okta{
-				Okta: &PluginOktaSettings{
-					OrgUrl: "https://test.okta.com",
-				},
-			},
-			creds: &PluginCredentialsV1{
-				Credentials: &PluginCredentialsV1_BearerToken{
-					BearerToken: &PluginBearerTokenCredentials{
-						TokenFile: "/var/lib/secrets/okta_token",
-					},
-				},
-			},
-			assertErr: func(t require.TestingT, err error, args ...any) {
-				require.NoError(t, err)
-			},
-		},
 	}
 
 	for _, tc := range testCases {