sa: Fix modelToOrder to populate V2Authorizations from Authzs column (#8514)

In 978877a35 ("Store
authzIDs directly in order table"), the modelToOrder function was
updated to decode the new Authzs protobuf column, but the decoded values
were never assigned to the order's V2Authorizations field. This caused
the StoreAuthzsInOrders feature to not work correctly for reads.

The bug meant that even with StoreAuthzsInOrders enabled:
1. Reads always fell back to querying the orderToAuthz2 table
2. The Authzs blob was parsed but the result was discarded
3. Eventually dropping orderToAuthz2 would break all order reads

The fix assigns the decoded authz IDs to V2Authorizations, allowing
orders with the new column populated to skip the fallback query.

Also adds TestModelToOrderAuthzs to verify the fix and prevent
regression.

Author: aaomidi

sa/model.go

@@ -364,12 +364,14 @@ func modelToOrder(om *orderModel) (*corepb.Order, error) {
 	if om.Replaces != nil {
 		replaces = *om.Replaces
 	}
+	var v2Authorizations []int64
 	if len(om.Authzs) > 0 {
 		var decodedAuthzs sapb.Authzs
 		err := proto.Unmarshal(om.Authzs, &decodedAuthzs)
 		if err != nil {
 			return nil, err
 		}
+		v2Authorizations = decodedAuthzs.AuthzIDs
 	}
 	order := &corepb.Order{
 		Id:                     om.ID,
@@ -380,6 +382,7 @@ func modelToOrder(om *orderModel) (*corepb.Order, error) {
 		BeganProcessing:        om.BeganProcessing,
 		CertificateProfileName: profile,
 		Replaces:               replaces,
+		V2Authorizations:       v2Authorizations,
 	}
 	if len(om.Error) > 0 {
 		var problem corepb.ProblemDetails

sa/model_test.go

@@ -11,16 +11,19 @@ import (
 	"fmt"
 	"math/big"
 	"net/netip"
+	"slices"
 	"testing"
 	"time"
 
 	"github.com/jmhodges/clock"
+	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/letsencrypt/boulder/db"
 	"github.com/letsencrypt/boulder/grpc"
 	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/probs"
+	sapb "github.com/letsencrypt/boulder/sa/proto"
 	"github.com/letsencrypt/boulder/test/vars"
 
 	"github.com/letsencrypt/boulder/core"
@@ -223,6 +226,42 @@ func TestModelToOrderBadJSON(t *testing.T) {
 	test.AssertEquals(t, string(badJSONErr.json), string(badJSON))
 }
 
+// TestModelToOrderAuthzs tests that the Authzs field is properly decoded and
+// assigned to V2Authorizations.
+func TestModelToOrderAuthzs(t *testing.T) {
+	expectedAuthzIDs := []int64{1, 2, 3, 42}
+	encodedAuthzs, err := proto.Marshal(&sapb.Authzs{AuthzIDs: expectedAuthzIDs})
+	test.AssertNotError(t, err, "failed to marshal authzs")
+
+	testCases := []struct {
+		name             string
+		model            *orderModel
+		expectedAuthzIDs []int64
+	}{
+		{
+			name:             "with authzs",
+			model:            &orderModel{Authzs: encodedAuthzs},
+			expectedAuthzIDs: expectedAuthzIDs,
+		},
+		{
+			name:             "without authzs",
+			model:            &orderModel{},
+			expectedAuthzIDs: nil,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			order, err := modelToOrder(tc.model)
+			if err != nil {
+				t.Fatalf("modelToOrder(%v) = %s, want success", tc.model, err)
+			}
+			if !slices.Equal(order.V2Authorizations, tc.expectedAuthzIDs) {
+				t.Errorf("modelToOrder(%v) = %v, want %v", tc.model, order.V2Authorizations, tc.expectedAuthzIDs)
+			}
+		})
+	}
+}
+
 // TestPopulateAttemptedFieldsBadJSON tests that populating a challenge from an
 // authz2 model with an invalid validation error or an invalid validation record
 // produces the expected bad JSON error.