From 77892832b7672a5fe4cc60b0ec9e19820c6e3231 Mon Sep 17 00:00:00 2001
From: Renuka Manavalan <47282725+renukamanavalan@users.noreply.github.com>
Date: Mon, 2 Aug 2021 10:33:55 -0700
Subject: [PATCH] Add service to restore TACACS from old config (#7560) (#8233)

Why I did it
In upgrade scenarios, where config_db.json is not carry forwarded to new image, it could be left w/o TACACS credentials.
Added a service to trigger 5 minutes after boot and restore TACACS, if /etc/sonic/old_config/tacacs.json is present.

How I did it
By adding a service, that would fire 5 mins after boot.
This service apply tacacs if available.

How to verify it
Upgrade and watch status of tacacs.timer & tacacs.service
You may create /etc/sonic/old_config/tacacs.json, with updated credentials
(before 5mins after boot) and see that appears in config & persisted too.
---
 .../build_templates/sonic_debian_extension.j2 |  7 +++++++
 files/build_templates/tacacs-config.service   | 10 +++++++++
 files/build_templates/tacacs-config.timer     | 12 +++++++++++
 files/image_config/updategraph/updategraph    | 21 ++++++++++++++-----
 4 files changed, 45 insertions(+), 5 deletions(-)
 create mode 100644 files/build_templates/tacacs-config.service
 create mode 100644 files/build_templates/tacacs-config.timer

diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
index fe2f360374..f431d7bec7 100644
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@@ -235,6 +235,13 @@ sudo bash -c "echo '{ \"DEVICE_METADATA\": { \"localhost\": { \"default_bgp_stat
 \"{{crm_res}}_threshold_type\": \"percentage\", \"{{crm_res}}_low_threshold\": \"70\", \"{{crm_res}}_high_threshold\": \"85\"{% if not loop.last %}, {% endif %}
 {%- endfor %} } } }' >> $FILESYSTEM_ROOT/etc/sonic/init_cfg.json"
 
+# Add delayed tacacs application service
+sudo cp files/build_templates/tacacs-config.timer $FILESYSTEM_ROOT/etc/systemd/system/
+sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable tacacs-config.timer
+
+sudo cp files/build_templates/tacacs-config.service $FILESYSTEM_ROOT/etc/systemd/system/
+sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable tacacs-config.service
+
 # Copy SNMP configuration files
 sudo cp $IMAGE_CONFIGS/snmp/snmp.yml $FILESYSTEM_ROOT/etc/sonic/
 
diff --git a/files/build_templates/tacacs-config.service b/files/build_templates/tacacs-config.service
new file mode 100644
index 0000000000..481ec77c84
--- /dev/null
+++ b/files/build_templates/tacacs-config.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TACACS application
+Requires=updategraph.service
+After=updategraph.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/updategraph apply_tacacs
+RemainAfterExit=yes
+
diff --git a/files/build_templates/tacacs-config.timer b/files/build_templates/tacacs-config.timer
new file mode 100644
index 0000000000..28314e06f4
--- /dev/null
+++ b/files/build_templates/tacacs-config.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Delays tacacs apply until SONiC has started
+PartOf=tacacs-config.service
+After=updategraph.service
+
+[Timer]
+OnUnitActiveSec=0 sec
+OnBootSec=5min 30 sec
+Unit=tacacs-config.service
+
+[Install]
+WantedBy=timers.target updategraph.service
diff --git a/files/image_config/updategraph/updategraph b/files/image_config/updategraph/updategraph
index d32ce60c07..a582bac235 100755
--- a/files/image_config/updategraph/updategraph
+++ b/files/image_config/updategraph/updategraph
@@ -16,11 +16,6 @@ reload_minigraph()
         acl-loader update full /etc/sonic/acl.json
     fi
     config qos reload
-    if [ -r /etc/sonic/old_config/${TACACS_JSON_BACKUP} ]; then
-        sonic-cfggen -j /etc/sonic/old_config/${TACACS_JSON_BACKUP} --write-to-db
-    else
-        echo "Missing tacacs json to restore tacacs credentials"
-    fi
     DEVICE_TYPE=`sonic-cfggen -m -v DEVICE_METADATA.localhost.type`
     if [[ "${DEVICE_TYPE}" != "MgmtToRRouter" && "${DEVICE_TYPE}" != "EPMS" ]]; then
         pfcwd start_default
@@ -32,6 +27,17 @@ reload_minigraph()
     fi
 }
 
+function apply_tacacs()
+{
+    if [ -r /etc/sonic/old_config/${TACACS_JSON_BACKUP} ]; then
+        sonic-cfggen -j /etc/sonic/old_config/${TACACS_JSON_BACKUP} --write-to-db
+        echo "Applied tacacs json to restore tacacs credentials"
+        config save -y
+    else
+        echo "Missing tacacs json to restore tacacs credentials"
+    fi
+}
+
 function copy_config_files_and_directories()
 {
     for file_dir in $@; do
@@ -58,6 +64,11 @@ function check_system_warm_boot()
 }
 
 
+if [ "$1" = "apply_tacacs" ]; then
+    apply_tacacs
+    exit 0
+fi
+
 if [ ! -f /etc/sonic/updategraph.conf ]; then
     echo "No updategraph.conf found, generating a default one."
     echo "enabled=false" >/etc/sonic/updategraph.conf