gravitational · Joerger · Apr 17, 2024 · Apr 1, 2024 · Apr 1, 2024 · Apr 2, 2024
diff --git a/lib/auth/sessions.go b/lib/auth/sessions.go
@@ -23,7 +23,6 @@ import (
 	"time"
 
 	"github.com/gravitational/trace"
-	"github.com/jonboulle/clockwork"
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/client/proto"
@@ -36,7 +35,6 @@ import (
 	"github.com/gravitational/teleport/lib/jwt"
 	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/services"
-	"github.com/gravitational/teleport/lib/services/local"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
 )
@@ -340,84 +338,6 @@ func (a *Server) CreateAppSession(ctx context.Context, req *proto.CreateAppSessi
 	return session, nil
 }
 
-// WaitForAppSession will block until the requested application session shows up in the
-// cache or a timeout occurs.
-func WaitForAppSession(ctx context.Context, sessionID, user string, ap ReadProxyAccessPoint) error {
-	req := waitForWebSessionReq{
-		newWatcherFn: ap.NewWatcher,
-		getSessionFn: func(ctx context.Context, sessionID string) (types.WebSession, error) {
-			return ap.GetAppSession(ctx, types.GetAppSessionRequest{SessionID: sessionID})
-		},
-	}
-	return trace.Wrap(waitForWebSession(ctx, sessionID, user, types.KindAppSession, req))
-}
-
-// WaitForSnowflakeSession waits until the requested Snowflake session shows up int the cache
-// or a timeout occurs.
-func WaitForSnowflakeSession(ctx context.Context, sessionID, user string, ap SnowflakeSessionWatcher) error {
-	req := waitForWebSessionReq{
-		newWatcherFn: ap.NewWatcher,
-		getSessionFn: func(ctx context.Context, sessionID string) (types.WebSession, error) {
-			return ap.GetSnowflakeSession(ctx, types.GetSnowflakeSessionRequest{SessionID: sessionID})
-		},
-	}
-	return trace.Wrap(waitForWebSession(ctx, sessionID, user, types.KindSnowflakeSession, req))
-}
-
-// waitForWebSessionReq is a request to wait for web session to be populated in the application cache.
-type waitForWebSessionReq struct {
-	// newWatcherFn is a function that returns new event watcher.
-	newWatcherFn func(ctx context.Context, watch types.Watch) (types.Watcher, error)
-	// getSessionFn is a function that returns web session by given ID.
-	getSessionFn func(ctx context.Context, sessionID string) (types.WebSession, error)
-}
-
-// waitForWebSession is an implementation for web session wait functions.
-func waitForWebSession(ctx context.Context, sessionID, user string, evenSubKind string, req waitForWebSessionReq) error {
-	_, err := req.getSessionFn(ctx, sessionID)
-	if err == nil {
-		return nil
-	}
-	logger := log.WithField("session", sessionID)
-	if !trace.IsNotFound(err) {
-		logger.WithError(err).Debug("Failed to query web session.")
-	}
-	// Establish a watch on application session.
-	watcher, err := req.newWatcherFn(ctx, types.Watch{
-		Name: teleport.ComponentAppProxy,
-		Kinds: []types.WatchKind{
-			{
-				Kind:    types.KindWebSession,
-				SubKind: evenSubKind,
-				Filter:  (&types.WebSessionFilter{User: user}).IntoMap(),
-			},
-		},
-		MetricComponent: teleport.ComponentAppProxy,
-	})
-	if err != nil {
-		return trace.Wrap(err)
-	}
-	defer watcher.Close()
-	matchEvent := func(event types.Event) (types.Resource, error) {
-		if event.Type == types.OpPut &&
-			event.Resource.GetKind() == types.KindWebSession &&
-			event.Resource.GetSubKind() == evenSubKind &&
-			event.Resource.GetName() == sessionID {
-			return event.Resource, nil
-		}
-		return nil, trace.CompareFailed("no match")
-	}
-	_, err = local.WaitForEvent(ctx, watcher, local.EventMatcherFunc(matchEvent), clockwork.NewRealClock())
-	if err != nil {
-		logger.WithError(err).Warn("Failed to wait for web session.")
-		// See again if we maybe missed the event but the session was actually created.
-		if _, err := req.getSessionFn(ctx, sessionID); err == nil {
-			return nil
-		}
-	}
-	return trace.Wrap(err)
-}
-
 // generateAppToken generates an JWT token that will be passed along with every
 // application request.
 func (a *Server) generateAppToken(ctx context.Context, username string, roles []string, traits map[string][]string, uri string, expires time.Time) (string, error) {

diff --git a/lib/cache/cache.go b/lib/cache/cache.go
@@ -2380,7 +2380,7 @@ func (c *Cache) GetAppSession(ctx context.Context, req types.GetAppSessionReques
 		// fallback is sane because method is never used
 		// in construction of derivative caches.
 		if sess, err := c.Config.AppSession.GetAppSession(ctx, req); err == nil {
-			c.Logger.Warnf("Cache was forced to load session %v/%v from upstream. Frequent occurrence may indicate sync/perf issues.", sess.GetSubKind(), sess.GetName())
+			c.Logger.Debugf("Cache was forced to load session %v/%v from upstream.", sess.GetSubKind(), sess.GetName())
 			return sess, nil
 		}
 	}
@@ -2419,7 +2419,7 @@ func (c *Cache) GetSnowflakeSession(ctx context.Context, req types.GetSnowflakeS
 		// fallback is sane because method is never used
 		// in construction of derivative caches.
 		if sess, err := c.Config.SnowflakeSession.GetSnowflakeSession(ctx, req); err == nil {
-			c.Logger.Warnf("Cache was forced to load session %v/%v from upstream. Frequent occurrence may indicate sync/perf issues.", sess.GetSubKind(), sess.GetName())
+			c.Logger.Debugf("Cache was forced to load session %v/%v from upstream.", sess.GetSubKind(), sess.GetName())
 			return sess, nil
 		}
 	}
@@ -2445,7 +2445,7 @@ func (c *Cache) GetSAMLIdPSession(ctx context.Context, req types.GetSAMLIdPSessi
 		// fallback is sane because method is never used
 		// in construction of derivative caches.
 		if sess, err := c.Config.SAMLIdPSession.GetSAMLIdPSession(ctx, req); err == nil {
-			c.Logger.Warnf("Cache was forced to load session %v/%v from upstream. Frequent occurrence may indicate sync/perf issues.", sess.GetSubKind(), sess.GetName())
+			c.Logger.Debugf("Cache was forced to load session %v/%v from upstream.", sess.GetSubKind(), sess.GetName())
 			return sess, nil
 		}
 	}
@@ -2511,7 +2511,7 @@ func (c *Cache) GetWebSession(ctx context.Context, req types.GetWebSessionReques
 		// fallback is sane because method is never used
 		// in construction of derivative caches.
 		if sess, err := c.Config.WebSession.Get(ctx, req); err == nil {
-			c.Logger.Warnf("Cache was forced to load session %v/%v from upstream. Frequent occurrence may indicate sync/perf issues.", sess.GetSubKind(), sess.GetName())
+			c.Logger.Debugf("Cache was forced to load session %v/%v from upstream.", sess.GetSubKind(), sess.GetName())
 			return sess, nil
 		}
 	}

diff --git a/lib/client/api.go b/lib/client/api.go
@@ -2528,10 +2528,6 @@ func (tc *TeleportClient) CreateAppSession(ctx context.Context, req *proto.Creat
 		return nil, trace.Wrap(err)
 	}
 
-	err = auth.WaitForAppSession(ctx, ws.GetName(), ws.GetUser(), rootAuthClient)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
 	return ws, nil
 }
 

diff --git a/lib/client/client.go b/lib/client/client.go
@@ -803,10 +803,6 @@ func (proxy *ProxyClient) CreateAppSession(ctx context.Context, req *proto.Creat
 	}
 	defer accessPoint.Close()
 
-	err = auth.WaitForAppSession(ctx, ws.GetName(), ws.GetUser(), accessPoint)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
 	return ws, nil
 }
 

diff --git a/lib/srv/db/snowflake/engine.go b/lib/srv/db/snowflake/engine.go
@@ -38,7 +38,6 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 
 	"github.com/gravitational/teleport/api/types"
-	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/srv/db/common"
 	"github.com/gravitational/teleport/lib/srv/db/common/role"
@@ -565,11 +564,6 @@ func (e *Engine) getSnowflakeToken(ctx context.Context, sessionToken string) (st
 		return snowflakeToken, nil
 	}
 
-	// Fetch the token from the auth server if not found in the local cache.
-	if err := auth.WaitForSnowflakeSession(ctx, sessionToken, e.sessionCtx.Identity.Username, e.AuthClient); err != nil {
-		return "", trace.Wrap(err)
-	}
-
 	snowflakeSession, err := e.AuthClient.GetSnowflakeSession(ctx, types.GetSnowflakeSessionRequest{SessionID: sessionToken})
 	if err != nil {
 		return "", trace.Wrap(err)

diff --git a/lib/tbot/service_outputs.go b/lib/tbot/service_outputs.go
@@ -448,11 +448,6 @@ func (s *outputsService) getRouteToApp(ctx context.Context, botIdentity *identit
 		return proto.RouteToApp{}, trace.Wrap(err)
 	}
 
-	err = auth.WaitForAppSession(ctx, ws.GetName(), ws.GetUser(), client)
-	if err != nil {
-		return proto.RouteToApp{}, trace.Wrap(err)
-	}
-
 	return proto.RouteToApp{
 		Name:        app.GetName(),
 		SessionID:   ws.GetName(),

diff --git a/lib/web/apps.go b/lib/web/apps.go
@@ -34,7 +34,6 @@ import (
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/types"
 	apievents "github.com/gravitational/teleport/api/types/events"
-	"github.com/gravitational/teleport/lib/auth"
 	wantypes "github.com/gravitational/teleport/lib/auth/webauthntypes"
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/httplib"
@@ -254,14 +253,6 @@ func (h *Handler) createAppSession(w http.ResponseWriter, r *http.Request, p htt
 		return nil, trace.Wrap(err)
 	}
 
-	// Block and wait a few seconds for the session that was created to show up
-	// in the cache. If this request is not blocked here, it can get stuck in a
-	// racy session creation loop.
-	err = h.waitForAppSession(r.Context(), ws.GetName(), ctx.GetUser())
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
 	// Extract the identity of the user.
 	certificate, err := tlsca.ParseCertificatePEM(ws.GetTLSCert())
 	if err != nil {
@@ -315,12 +306,6 @@ func (h *Handler) createAppSession(w http.ResponseWriter, r *http.Request, p htt
 	}, nil
 }
 
-// waitForAppSession will block until the requested application session shows up in the
-// cache or a timeout occurs.
-func (h *Handler) waitForAppSession(ctx context.Context, sessionID, user string) error {
-	return auth.WaitForAppSession(ctx, sessionID, user, h.cfg.AccessPoint)
-}
-
 type ResolveAppParams struct {
 	// FQDNHint indicates (tentatively) the fully qualified domain name of the application.
 	FQDNHint string `json:"fqdn,omitempty"`