Unclear error message when pointing `tsh login` at non-Teleport proxy server

[benarent]

Description

While trying to connect to a new demo cluster locally. I think it's due to the proxy in-front of these demo instances but the error message isnt' clear.

What happened:

➜  teleport tsh login --proxy=teleport-vm-8443-pexxxxxxx.env.play.instruqt.com:443 --auth=local --user=teleport-admin
ERROR: invalid character 'U' looking for beginning of value

➜  teleport tsh login --proxy=teleport-vm-8443-peavxxxxx.env.play.instruqt.com:443 --auth=local --user=teleport-admin -d
DEBU [CLIENT]    open /Users/benarent/.tsh/teleport-vm-8443-peavuxxxxx.env.play.instruqt.com.yaml: no such file or directory client/api.go:717
INFO [CLIENT]    no host login given. defaulting to benarent client/api.go:1040
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.sbljfK7QwF/Listeners" client/api.go:2804
DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport-vm-8443-peavukozizsa.env.play.instruqt.com:443 client/api.go:2765

ERROR REPORT:
Original Error: *json.SyntaxError invalid character 'U' looking for beginning of value
Stack Trace:
    /tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/vendor/github.com/gravitational/teleport/api/client/webclient/webclient.go:93 github.com/gravitational/teleport/api/client/webclient.Ping
    /tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/lib/client/api.go:2362 github.com/gravitational/teleport/lib/client.(*TeleportClient).Ping
    /tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/lib/client/api.go:2216 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
    /tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:811 main.onLogin
    /tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:597 main.Run
    /tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:266 main.main
    /usr/local/go/src/runtime/proc.go:225 runtime.main
    /usr/local/go/src/runtime/asm_amd64.s:1371 runtime.goexit
User Message: invalid character 'U' looking for beginning of value

What you expected to happen:

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem. 1. 2. 3.

Server Details

• Teleport version (run teleport version):
• Server OS (e.g. from /etc/os-release):
• Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware):
• Additional details:

Client Details

• Tsh version (tsh version):
• Computer OS (e.g. Linux, macOS, Windows):
• Browser version (for UI-related issues):
• Installed via (e.g. apt, yum, brew, website download):
• Additional details:

Debug Logs

Please include or attach debug logs, when appropriate. Obfuscate sensitive information!

• Start Teleport with --debug flag (teleport --debug)
• Run tsh with --debug flag (tsh --debug)

[benarent]

Adding error-msg to this issue. This is due to not being able to connect to the public endpoint.

[ravicious]

@benarent I renamed the issue to something more specific so that I can bring it up on our Slack channel.

---

This happens if the --proxy flag points to a server that's not a Teleport Proxy. I've run into this a number of times. It's super easy to run into this, be it a configuration error on some load balancer or simply making a typo, say typing 'myteleportcluster.cominstead ofproxy.myteleportcluster.com`. The error message doesn't help you spot the problem.

$ tsh login --proxy=example.com:443 -d
DEBU             Attempting GET example.com:443/webapi/ping webclient/webclient.go:115
ERROR REPORT:
Original Error: *json.SyntaxError invalid character '<' looking for beginning of value
Stack Trace:
    /Users/rav/Projects/teleport/api/client/webclient/webclient.go:208 github.com/gravitational/teleport/api/client/webclient.Ping
    /Users/rav/Projects/teleport/lib/client/api.go:3528 github.com/gravitational/teleport/lib/client.(*TeleportClient).Ping
    /Users/rav/Projects/teleport/lib/client/api.go:3145 github.com/gravitational/teleport/lib/client.(*TeleportClient).PingAndShowMOTD
    /Users/rav/Projects/teleport/lib/client/api.go:3189 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
    /Users/rav/Projects/teleport/tool/tsh/tsh.go:1320 main.onLogin
    /Users/rav/Projects/teleport/tool/tsh/tsh.go:875 main.Run
    /Users/rav/Projects/teleport/tool/tsh/tsh.go:397 main.main
    /opt/homebrew/Cellar/go/1.18.1/libexec/src/runtime/proc.go:250 runtime.main
    /opt/homebrew/Cellar/go/1.18.1/libexec/src/runtime/asm_arm64.s:1259 runtime.goexit
User Message: invalid character '<' looking for beginning of value

This happens because webclient.Config.Ping doesn't check if the response was successful (it only checks for the 400 status code) and immediately assumes that the response body is in json format and throws it to the parser.

https://github.com/gravitational/teleport/blob/f41d24630e6249cee3160630a6b11ed75330d88c/api/client/webclient/webclient.go#L194-L209

At minimum I think tsh should do two more things:

1. Check if the request was successful.
2. Check Content-Type header of the response before attempting to pass the body to the JSON parser.

If any of those checks fails, tsh could show a message like "The request to example.com:443/webapi/ping was not successful. This might be because the Teleport proxy server is offline or example.com:443 doesn't point to a Teleport proxy server".

We should also make sure the fix for this issue also plays well with a situation where the user doesn't specify a port of the proxy. In that case we have some kind of mechanism to guess the port number and the behavior of tsh is a bit different.