FIX (databases): Add support dashed databases for read only users creation

RostislavDugin · RostislavDugin · commit db71a5ef7b00 · 2025-12-11T19:57:49.000+03:00
diff --git a/backend/internal/features/databases/databases/postgresql/model.go b/backend/internal/features/databases/databases/postgresql/model.go
@@ -424,22 +424,22 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(
 		// Step 2: Grant database connection privilege and revoke TEMP
 		_, err = tx.Exec(
 			ctx,
-			fmt.Sprintf(`GRANT CONNECT ON DATABASE %s TO "%s"`, *p.Database, baseUsername),
+			fmt.Sprintf(`GRANT CONNECT ON DATABASE "%s" TO "%s"`, *p.Database, baseUsername),
 		)
 		if err != nil {
 			return "", "", fmt.Errorf("failed to grant connect privilege: %w", err)
 		}
 
 		// Revoke TEMP privilege from PUBLIC role (like CREATE on public schema, TEMP is granted to PUBLIC by default)
-		_, err = tx.Exec(ctx, fmt.Sprintf(`REVOKE TEMP ON DATABASE %s FROM PUBLIC`, *p.Database))
+		_, err = tx.Exec(ctx, fmt.Sprintf(`REVOKE TEMP ON DATABASE "%s" FROM PUBLIC`, *p.Database))
 		if err != nil {
 			logger.Warn("Failed to revoke TEMP from PUBLIC", "error", err)
 		}
 
 		// Also revoke from the specific user (belt and suspenders)
 		_, err = tx.Exec(
 			ctx,
-			fmt.Sprintf(`REVOKE TEMP ON DATABASE %s FROM "%s"`, *p.Database, baseUsername),
+			fmt.Sprintf(`REVOKE TEMP ON DATABASE "%s" FROM "%s"`, *p.Database, baseUsername),
 		)
 		if err != nil {
 			logger.Warn("Failed to revoke TEMP privilege", "error", err, "username", baseUsername)
diff --git a/backend/internal/features/databases/databases/postgresql/readonly_user_test.go b/backend/internal/features/databases/databases/postgresql/readonly_user_test.go
@@ -246,6 +246,81 @@ func Test_ReadOnlyUser_MultipleSchemas_AllAccessible(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func Test_CreateReadOnlyUser_DatabaseNameWithDash_Success(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToPostgresContainer(t, env.TestPostgres16Port)
+	defer container.DB.Close()
+
+	dashDbName := "test-db-with-dash"
+
+	_, err := container.DB.Exec(fmt.Sprintf(`DROP DATABASE IF EXISTS "%s"`, dashDbName))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf(`CREATE DATABASE "%s"`, dashDbName))
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = container.DB.Exec(fmt.Sprintf(`DROP DATABASE IF EXISTS "%s"`, dashDbName))
+	}()
+
+	dashDSN := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+		container.Host, container.Port, container.Username, container.Password, dashDbName)
+	dashDB, err := sqlx.Connect("postgres", dashDSN)
+	assert.NoError(t, err)
+	defer dashDB.Close()
+
+	_, err = dashDB.Exec(`
+		CREATE TABLE dash_test (
+			id SERIAL PRIMARY KEY,
+			data TEXT NOT NULL
+		);
+		INSERT INTO dash_test (data) VALUES ('test1'), ('test2');
+	`)
+	assert.NoError(t, err)
+
+	pgModel := &PostgresqlDatabase{
+		Version:  tools.GetPostgresqlVersionEnum("16"),
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: container.Username,
+		Password: container.Password,
+		Database: &dashDbName,
+		IsHttps:  false,
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.NotEmpty(t, username)
+	assert.NotEmpty(t, password)
+	assert.True(t, strings.HasPrefix(username, "postgresus-"))
+
+	readOnlyDSN := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
+		container.Host, container.Port, username, password, dashDbName)
+	readOnlyConn, err := sqlx.Connect("postgres", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var count int
+	err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM dash_test")
+	assert.NoError(t, err)
+	assert.Equal(t, 2, count)
+
+	_, err = readOnlyConn.Exec("INSERT INTO dash_test (data) VALUES ('should-fail')")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "permission denied")
+
+	_, err = dashDB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
+	if err != nil {
+		t.Logf("Warning: Failed to drop owned objects: %v", err)
+	}
+
+	_, err = dashDB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, username))
+	assert.NoError(t, err)
+}
+
 func Test_CreateReadOnlyUser_Supabase_UserCanReadButNotWrite(t *testing.T) {
 	env := config.GetEnv()
 

Original file line number	Diff line number	Diff line change
`@@ -424,22 +424,22 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(`
`424`	`424`	`// Step 2: Grant database connection privilege and revoke TEMP`
`425`	`425`	`_, err = tx.Exec(`
`426`	`426`	`ctx,`
`427`		- fmt.Sprintf(`GRANT CONNECT ON DATABASE %s TO "%s"`, *p.Database, baseUsername),
	`427`	+ fmt.Sprintf(`GRANT CONNECT ON DATABASE "%s" TO "%s"`, *p.Database, baseUsername),
`428`	`428`	`)`
`429`	`429`	`if err != nil {`
`430`	`430`	`return "", "", fmt.Errorf("failed to grant connect privilege: %w", err)`
`431`	`431`	`}`
`432`	`432`
`433`	`433`	`// Revoke TEMP privilege from PUBLIC role (like CREATE on public schema, TEMP is granted to PUBLIC by default)`
`434`		- _, err = tx.Exec(ctx, fmt.Sprintf(`REVOKE TEMP ON DATABASE %s FROM PUBLIC`, *p.Database))
	`434`	+ _, err = tx.Exec(ctx, fmt.Sprintf(`REVOKE TEMP ON DATABASE "%s" FROM PUBLIC`, *p.Database))
`435`	`435`	`if err != nil {`
`436`	`436`	`logger.Warn("Failed to revoke TEMP from PUBLIC", "error", err)`
`437`	`437`	`}`
`438`	`438`
`439`	`439`	`// Also revoke from the specific user (belt and suspenders)`
`440`	`440`	`_, err = tx.Exec(`
`441`	`441`	`ctx,`
`442`		- fmt.Sprintf(`REVOKE TEMP ON DATABASE %s FROM "%s"`, *p.Database, baseUsername),
	`442`	+ fmt.Sprintf(`REVOKE TEMP ON DATABASE "%s" FROM "%s"`, *p.Database, baseUsername),
`443`	`443`	`)`
`444`	`444`	`if err != nil {`
`445`	`445`	`logger.Warn("Failed to revoke TEMP privilege", "error", err, "username", baseUsername)`