From 85df2ef94731b6e5aeec5e1e3e195a93f4306418 Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <andrew@gravitational.com>
Date: Wed, 18 Nov 2020 17:51:28 +0000
Subject: [PATCH] Prevent a panic in tsh kube login when logged out (#4885)

Turns out, client.Status can return a nil error *and* profile.
Handle nil profile separately and return a simple error.
---
 lib/client/api.go | 1 +
 tool/tsh/kube.go  | 9 +++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/client/api.go b/lib/client/api.go
index b5183abcc12fa..9d96e3b3e71f7 100644
--- a/lib/client/api.go
+++ b/lib/client/api.go
@@ -504,6 +504,7 @@ func readProfile(profileDir string, profileName string) (*ProfileStatus, error)
 }
 
 // Status returns the active profile as well as a list of available profiles.
+// If no profile is active, Status returns a nil error and nil profile.
 func Status(profileDir string, proxyHost string) (*ProfileStatus, []*ProfileStatus, error) {
 	var err error
 	var profile *ProfileStatus
diff --git a/tool/tsh/kube.go b/tool/tsh/kube.go
index de6f3e7a58773..5f9df8627596d 100644
--- a/tool/tsh/kube.go
+++ b/tool/tsh/kube.go
@@ -25,7 +25,6 @@ import (
 	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/kube/kubeconfig"
 	kubeutils "github.com/gravitational/teleport/lib/kube/utils"
-	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/trace"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -226,10 +225,12 @@ func (c *kubeLoginCommand) run(cf *CLIConf) error {
 	profile, _, err := client.Status("", cf.Proxy)
 	if err != nil {
 		if trace.IsNotFound(err) {
-			fmt.Println("Not logged in.")
-			return nil
+			return trace.AccessDenied("not logged in")
 		}
-		utils.FatalError(err)
+		return trace.Wrap(err)
+	}
+	if profile == nil {
+		return trace.AccessDenied("not logged in")
 	}
 	kc, err := kubeconfig.Load("")
 	if err != nil {