change silo_group index to "time_deleted IS NULL", add test for deleted groups

Author: jmpesp

common/src/sql/dbinit.sql

@@ -291,7 +291,7 @@ CREATE TABLE omicron.public.silo_group (
 CREATE INDEX ON omicron.public.silo_group (
     silo_id
 ) WHERE
-    time_deleted IS NOT NULL;
+    time_deleted IS NULL;
 
 CREATE UNIQUE INDEX ON omicron.public.silo_group (
     silo_id,

nexus/src/db/datastore/silo.rs

@@ -276,7 +276,7 @@ impl DataStore {
                     silo_group_membership::dsl::silo_group_id.eq_any(
                         silo_group::dsl::silo_group
                             .filter(silo_group::dsl::silo_id.eq(id))
-                            .filter(silo_group::dsl::time_deleted.is_not_null())
+                            .filter(silo_group::dsl::time_deleted.is_null())
                             .select(silo_group::dsl::id),
                     ),
                 )

nexus/tests/integration_tests/silos.rs

@@ -1293,3 +1293,73 @@ async fn test_silo_groups_remove_from_both_groups(
 
     assert!(group_names.contains(&"c-group".to_string()));
 }
+
+// Test that silo delete cleans up associated groups
+#[nexus_test]
+async fn test_silo_delete_clean_up_groups(cptestctx: &ControlPlaneTestContext) {
+    let client = &cptestctx.external_client;
+    let nexus = &cptestctx.server.apictx.nexus;
+
+    // Create a silo
+    let silo =
+        create_silo(&client, "test-silo", true, shared::UserProvisionType::Jit)
+            .await;
+
+    let opctx = OpContext::for_tests(
+        cptestctx.logctx.log.new(o!()),
+        nexus.datastore().clone(),
+    );
+
+    // Create an admin user
+    let (authz_silo, db_silo) = LookupPath::new(&opctx, &nexus.datastore())
+        .silo_name(&silo.identity.name.into())
+        .fetch()
+        .await
+        .unwrap();
+
+    // Add a user with a group membership
+    let silo_user = nexus
+        .silo_user_from_authenticated_subject(
+            &nexus.opctx_external_authn(),
+            &authz_silo,
+            &db_silo,
+            &AuthenticatedSubject {
+                external_id: "user@company.com".into(),
+                groups: vec!["sre".into()],
+            },
+        )
+        .await
+        .expect("silo_user_from_authenticated_subject")
+        .unwrap();
+
+    // Delete the silo
+    NexusRequest::object_delete(&client, &"/silos/test-silo")
+        .authn_as(AuthnMode::PrivilegedUser)
+        .execute()
+        .await
+        .expect("failed to make request");
+
+    // Expect the group is gone
+    assert!(nexus
+        .datastore()
+        .silo_group_optional_lookup(&opctx, &authz_silo, "a-group".into(),)
+        .await
+        .expect("silo_group_optional_lookup")
+        .is_none());
+
+    // Expect the group membership is gone
+    let memberships = nexus
+        .datastore()
+        .silo_group_membership_for_user(&opctx, &authz_silo, silo_user.id())
+        .await
+        .expect("silo_group_membership_for_user");
+
+    assert!(memberships.is_empty());
+
+    // Expect the user is gone
+    LookupPath::new(&opctx, &nexus.datastore())
+        .silo_user_id(silo_user.id())
+        .fetch()
+        .await
+        .expect_err("user found");
+}