From bbe7bdcffa8c62d76b66939e29b3f9dbe407fe54 Mon Sep 17 00:00:00 2001
From: keliramu <ramunas.keliuotis@nordsec.com>
Date: Tue, 3 Dec 2024 16:22:06 +0200
Subject: [PATCH] Add snap refresh postpone, add snap interfaces connect before
 validation

Signed-off-by: keliramu <ramunas.keliuotis@nordsec.com>
---
 ci/install_snap.sh   |  8 +++-----
 ci/snap_functions.sh | 40 +++++++++++++++++++++++++++++++++++++
 ci/validate_snap.sh  | 47 ++++++++++++++++++++++++++++++++------------
 3 files changed, 77 insertions(+), 18 deletions(-)
 create mode 100755 ci/snap_functions.sh

diff --git a/ci/install_snap.sh b/ci/install_snap.sh
index 312c23c1..18676c9e 100755
--- a/ci/install_snap.sh
+++ b/ci/install_snap.sh
@@ -1,6 +1,8 @@
 #!/usr/bin/env bash
 set -euxo pipefail
 
+source "${WORKDIR}/ci/snap_functions.sh"
+
 # if host does not have ip6table modules loaded, we must loaded it the docker
 if [[ ! $(sudo ip6tables -S) ]]; then
     if [[ ! $(command -v modprobe) ]]; then
@@ -17,10 +19,6 @@ find "${WORKDIR}"/ -type f -name "*amd64.snap" \
 	-exec sudo snap install --dangerous "{}" +
 
 echo "~~~GRANT permissions - connect snap interfaces"
-sudo snap connect nordvpn:network-control
-sudo snap connect nordvpn:network-observe
-sudo snap connect nordvpn:firewall-control
-sudo snap connect nordvpn:system-observe
-sudo snap connect nordvpn:login-session-observe
+snap_connect_interfaces
 
 echo "~~~INSTALL Snap DONE."
diff --git a/ci/snap_functions.sh b/ci/snap_functions.sh
new file mode 100755
index 00000000..24c74ef5
--- /dev/null
+++ b/ci/snap_functions.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+snap_connect_interfaces() {
+    local SNAP_NAME=nordvpn
+
+    # List all connections for the Snap
+    echo "Checking connections for Snap package: ${SNAP_NAME}"
+    connections=$(snap connections "${SNAP_NAME}")
+
+    # Display and process unconnected interfaces
+    echo
+    echo "Unconnected connections for ${SNAP_NAME}:"
+    unconnected=$(echo "${connections}" | awk '
+    NR > 1 && $3 == "-" {
+        print $1
+    }')
+
+    if [ -z "${unconnected}" ]; then
+        echo "All connections are already connected."
+        return
+    fi
+
+    echo "${unconnected}"
+
+    # Attempt to connect each unconnected interface
+    echo
+    for interface in ${unconnected}; do
+        echo "Connecting interface: ${interface}"
+        if sudo snap connect "${SNAP_NAME}:${interface}"; then
+            echo "Successfully connected: ${interface}"
+        else
+            echo "Failed to connect: ${interface}"
+        fi
+    done
+
+    echo
+    echo "Connection process completed for ${SNAP_NAME}."
+    # Show current connections state
+    snap connections "${SNAP_NAME}"
+}
diff --git a/ci/validate_snap.sh b/ci/validate_snap.sh
index d840a387..001c3593 100755
--- a/ci/validate_snap.sh
+++ b/ci/validate_snap.sh
@@ -3,8 +3,15 @@ set -euxo pipefail
 
 # NOTE: this script should be run in systemd/snapd environment, non-root
 
+source "${WORKDIR}/ci/snap_functions.sh"
+
 source "${WORKDIR}"/ci/env.sh
 
+# to get over: snap "snapd" has "auto-refresh" change in progress
+echo "~~~set snap refresh on hold - for snapd"
+sudo snap refresh --hold='720h' snapd
+
+
 # snap contains binaries which are always stripped, same as deb/rpm
 STRIPPED_STATUS=", stripped"
 
@@ -19,6 +26,10 @@ for FILE in $FILES; do
     break #only one file is expected
 done
 
+echo "~~~set snap refresh on hold - for nordvpn"
+sudo snap refresh --hold='720h' nordvpn
+
+
 echo "~~~running on host info: "
 uname -a
 
@@ -48,27 +59,37 @@ esac
 echo "~~~check2.2: binary is stripped/not stripped"
 echo "${file_info}" | grep "${STRIPPED_STATUS}"
 
-# give some time for service to start
+echo "~~~fix permissions"
+sudo groupadd nordvpn
+sudo usermod -aG nordvpn "${USER}"
+
+echo "~~~connect snap interfaces"
+snap_connect_interfaces
+
+echo "~~~restart snap nordvpn service"
+sudo snap stop nordvpn
+sudo snap start nordvpn
+
 sleep 5
 
+
+SERVICE_UNIT=snap.nordvpn.nordvpnd.service
+
+if systemctl is-failed --quiet "${SERVICE_UNIT}"; then
+    echo "~~~snap logs nordvpn"
+    sudo snap logs -n=100 nordvpn
+
+    echo "~~~journalctl ${SERVICE_UNIT}"
+    sudo journalctl -n 100 -u "${SERVICE_UNIT}"
+fi
+
 echo "~~~info: nordvpnd service status"
-systemctl status snap.nordvpn.nordvpnd.service
 
-# based on experiments, need more time for service to fully start
-sleep 5
+systemctl status "${SERVICE_UNIT}"
 
 echo "~~~check3: socket file: if file present -> service is started/running"
 ls -la /var/snap/nordvpn/common/run/nordvpn/nordvpnd.sock
 
-echo "~~~fix permissions"
-sudo groupadd nordvpn
-sudo usermod -aG nordvpn "${USER}"
-sudo snap connect nordvpn:network-control
-sudo snap connect nordvpn:network-observe
-sudo snap connect nordvpn:firewall-control
-sudo snap connect nordvpn:login-session-observe
-sudo snap connect nordvpn:system-observe
-
 echo "~~~check4: minimal test"
 nordvpn version
 nordvpn status