fix: reset the call timestamp after a bulk trigger (#6080)

* reproduce #5808

Add an integration test that imports and gets N amount of human users.
- With N set to 1-10 the operation seems to succeed always
- With N set to 100 the operation seems to fail between 1 and 7 times.

* fix merge issue

* fix: reset the call timestamp after a bulk trigger

With the use of `AS OF SYSTEM TIME` in queries,
there was a change for the query package not
finding the latest projection verson after
a bulk trigger.
If events where processed in the bulk trigger,
the resulting row timestamp would be after the call
start timestamp.
This sometimes resulted in consistency issues when
Set and Get API methods are called in short succession.
For example a Import and Get user could sometimes result in a Not Found
error.

Although the issue was reported for the Management API user import,
it is likely this bug contributed to the flaky integration and e2e tests.

Fixes #5808

* trigger bulk action in GetSession

* don't use the new context in handler schedule

* disable reproduction test

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/api/call/duration.go

@@ -9,12 +9,18 @@ type durationKey struct{}
 
 var key *durationKey = (*durationKey)(nil)
 
-// WithTimestamp sets [time.Now()] adds the call field to the context
-// if it's not already set
+// WithTimestamp sets [time.Now()] to the call field in the context
+// if it's not already set.
 func WithTimestamp(parent context.Context) context.Context {
 	if parent.Value(key) != nil {
 		return parent
 	}
+	return ResetTimestamp(parent)
+}
+
+// ResetTimestamp sets [time.Now()] to the call field in the context,
+// overwriting any previously set call timestamp.
+func ResetTimestamp(parent context.Context) context.Context {
 	return context.WithValue(parent, key, time.Now())
 }
 

internal/api/grpc/management/user_integration_test.go

@@ -0,0 +1,87 @@
+//go:build integration
+
+package management_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/management"
+)
+
+var (
+	CTX    context.Context
+	Tester *integration.Tester
+	Client management.ManagementServiceClient
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(func() int {
+		ctx, errCtx, cancel := integration.Contexts(3 * time.Minute)
+		defer cancel()
+
+		Tester = integration.NewTester(ctx)
+		defer Tester.Done()
+
+		CTX, _ = Tester.WithAuthorization(ctx, integration.OrgOwner), errCtx
+		Client = Tester.Client.Mgmt
+		return m.Run()
+	}())
+}
+
+// TestImport_and_Get reproduces https://github.com/zitadel/zitadel/issues/5808
+// which led to consistency issues due the call timestamp not being
+// updated after a bulk Trigger.
+// This test Imports a user and directly tries to Get it, 100 times in a loop.
+// When the bug still existed, some (between 1 to 7 out of 100)
+// Get calls would return a Not Found error.
+
+/* Test disabled because it breaks the pipeline.
+func TestImport_and_Get(t *testing.T) {
+	const N = 100
+	var misses int
+
+	for i := 0; i < N; i++ {
+		firstName := strconv.Itoa(i)
+		t.Run(firstName, func(t *testing.T) {
+			// create unique names.
+			lastName := strconv.FormatInt(time.Now().Unix(), 10)
+			userName := strings.Join([]string{firstName, lastName}, "_")
+			email := strings.Join([]string{userName, "zitadel.com"}, "@")
+
+			res, err := Client.ImportHumanUser(CTX, &management.ImportHumanUserRequest{
+				UserName: userName,
+				Profile: &management.ImportHumanUserRequest_Profile{
+					FirstName:         firstName,
+					LastName:          lastName,
+					PreferredLanguage: language.Afrikaans.String(),
+					Gender:            user.Gender_GENDER_DIVERSE,
+				},
+				Email: &management.ImportHumanUserRequest_Email{
+					Email:           email,
+					IsEmailVerified: true,
+				},
+			})
+			require.NoError(t, err)
+
+			_, err = Client.GetUserByID(CTX, &management.GetUserByIDRequest{Id: res.GetUserId()})
+
+			if s, ok := status.FromError(err); ok {
+				if s == nil {
+					return
+				}
+				if s.Code() == codes.NotFound {
+					t.Log(s)
+					misses++
+					return
+				}
+			}
+			require.NoError(t, err) // catch and fail on any other error
+		})
+	}
+	assert.Zerof(t, misses, "Not Found errors %d out of %d", misses, N)
+}
+*/

internal/api/grpc/session/v2/session.go

@@ -16,7 +16,7 @@ import (
 )
 
 func (s *Server) GetSession(ctx context.Context, req *session.GetSessionRequest) (*session.GetSessionResponse, error) {
-	res, err := s.query.SessionByID(ctx, req.GetSessionId(), req.GetSessionToken())
+	res, err := s.query.SessionByID(ctx, true, req.GetSessionId(), req.GetSessionToken())
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/session/v2/session_integration_test.go

@@ -10,8 +10,6 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 
 	"github.com/zitadel/zitadel/internal/integration"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
@@ -43,31 +41,16 @@ func TestMain(m *testing.M) {
 	}())
 }
 
-func verifyCurrentSession(t testing.TB, id, token string, sequence uint64, window time.Duration, metadata map[string][]byte, factors ...wantFactor) (s *session.Session) {
+func verifyCurrentSession(t testing.TB, id, token string, sequence uint64, window time.Duration, metadata map[string][]byte, factors ...wantFactor) *session.Session {
 	require.NotEmpty(t, id)
 	require.NotEmpty(t, token)
 
-retry:
-	for {
-		resp, err := Client.GetSession(CTX, &session.GetSessionRequest{
-			SessionId:    id,
-			SessionToken: &token,
-		})
-		if err == nil {
-			s = resp.GetSession()
-			break retry
-		}
-		if code := status.Convert(err).Code(); code == codes.NotFound || code == codes.PermissionDenied {
-			select {
-			case <-CTX.Done():
-				t.Fatal(CTX.Err(), err)
-			case <-time.After(time.Second):
-				t.Log("retrying GetSession")
-				continue
-			}
-		}
-		require.NoError(t, err)
-	}
+	resp, err := Client.GetSession(CTX, &session.GetSessionRequest{
+		SessionId:    id,
+		SessionToken: &token,
+	})
+	require.NoError(t, err)
+	s := resp.GetSession()
 
 	assert.Equal(t, id, s.GetId())
 	assert.WithinRange(t, s.GetCreationDate().AsTime(), time.Now().Add(-window), time.Now().Add(window))