feat: Accounting support (#3)

MirageTurtle · web-flow · commit a65e874489e8 · 2025-02-02T22:05:49.000+08:00
* Add access log support. Just support access log for accounting. * Add `ganted2radius` to parse and send accounting data to radius. Use crond to do it hourly. * Use github.com/robfig/cron instead of crond. * Remove hard-coded paths, and go fmt. * Upgrade cron to v3, defer write the access log, rotate the log files * Just rotate when accounting, and archive every 24 logfiles(daily) * rename archive file, make sure err during removing could be handled Delete `logFiles = logFiles[:maxBackup-1]` * Requested changes of #3 1. defer the close of `archiveFile` and `src` 2. use `log.Printf` to replace `fmt.Printf` and `fmt.Fprintf` 3. `panic()` if the log directory does not exist and can not be created either 4. fetching the previous writer and close it if valid * Format error message, use `log.Fatalf` for panic message of `Mkdir` * fix: the issue of ensuring file existence and related error return. add some comments, and fix some error message typo. * chore: `os.IsNotExist(err)` to `errors.Is(err, os.ErrNotExist)`
diff --git a/Dockerfile b/Dockerfile
@@ -9,9 +9,11 @@ WORKDIR /app
 COPY --from=builder /usr/src/app/ganted ./
 ENV GANTED_LISTEN=:6626 \
     RADIUS_SERVER=light-freeradius:1812 \
+    RADIUS_ACCOUNTING_SERVER=light-freeradius:1813 \
     RADIUS_SECRET=testing123 \
     GANTED_ACL=91.108.4.0/22,91.108.8.0/21,91.108.16.0/21,91.108.36.0/22,91.108.56.0/22,149.154.160.0/20,2001:67c:4e8::/48,2001:b28:f23c::/46 \
     GANTED_BIND_OUTPUT=0.0.0.0 \
     GANTED_AUTH_CACHE_RETENTION=10m \
-    GANTED_AUTH_CACHE_GC=10m
+    GANTED_AUTH_CACHE_GC=10m \
+    GANTED_LOG_DIR=/var/log/ganted
 CMD ["./ganted"]
diff --git a/src/ganted2radius.go b/src/ganted2radius.go
@@ -0,0 +1,264 @@
+package main
+
+import (
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"log"
+	"os"
+	"path/filepath"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/klauspost/compress/zstd"
+	"golang.org/x/net/context"
+	"layeh.com/radius"
+	"layeh.com/radius/rfc2865"
+	"layeh.com/radius/rfc2866"
+)
+
+// compressFile compresses the given file using zstd compression.
+// if the compressed file exists or any operation fails,
+// it returns an error.
+func compressFile(filepath string) error {
+	// open the file
+	file, err := os.Open(filepath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	compressedFilepath := filepath + ".zst"
+	// Check if the file already exists first
+	if _, err := os.Stat(compressedFilepath); err == nil {
+		return fmt.Errorf("file %s exists", compressedFilepath)
+	} else if !errors.Is(err, os.ErrNotExist) {
+		// If the error is something other than "file does not exist", return it
+		return err
+	}
+	// Create the file if it does not exist
+	compressedFile, err := os.Create(compressedFilepath)
+	if err != nil {
+		return err
+	}
+	defer compressedFile.Close()
+	// create the zstd writer
+	zw, err := zstd.NewWriter(compressedFile)
+	if err != nil {
+		return err
+	}
+	// copy the file to the zstd writer
+	_, err = io.Copy(zw, file)
+	if err != nil {
+		return err
+	}
+	// flush the zstd writer
+	if err := zw.Close(); err != nil {
+		return err
+	}
+	// remove the original file
+	if err := os.Remove(filepath); err != nil {
+		return err
+	}
+	return nil
+}
+
+func findLogs(logDir string, logPattern *regexp.Regexp) ([]string, error) {
+	var logFiles []string
+	err := filepath.WalkDir(logDir, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if !d.IsDir() && logPattern.MatchString(d.Name()) {
+			logFiles = append(logFiles, path)
+		}
+		return nil
+	})
+	return logFiles, err
+}
+
+func archiveLogs(logDir string, maxBackup int) error {
+	logPattern := regexp.MustCompile(`^access-\d{14}\.log$`)
+	logFiles, err := findLogs(logDir, logPattern)
+	if err != nil {
+		return err
+	}
+	if len(logFiles) >= maxBackup {
+		sort.Strings(logFiles)
+		// create archive log file with current date
+		date := time.Now().Format("20060102")
+		archiveFileName := fmt.Sprintf("archived-access-%s.log", date)
+		archiveFilePath := filepath.Join(logDir, archiveFileName)
+		// check if access-<date>.log.zst exists first
+		if _, err := os.Stat(archiveFilePath + ".zst"); err == nil {
+			return fmt.Errorf("file %s exists", archiveFileName+".zst")
+		} else if !errors.Is(err, os.ErrNotExist) {
+			// If the error is something other than "file does not exist", return it
+			return err
+		}
+		archiveFile, err := os.Create(archiveFilePath)
+		if err != nil {
+			return err
+		}
+		defer archiveFile.Close()
+		// concatenate `maxBackup` access-<datetime>.log files to access-<date>.log
+		for _, logFile := range logFiles {
+			src, err := os.Open(logFile)
+			if err != nil {
+				return err
+			}
+			defer src.Close()
+			_, err = io.Copy(archiveFile, src)
+			if err != nil {
+				return err
+			}
+
+		}
+		// compress access-<date>.log
+		if err := compressFile(archiveFilePath); err != nil {
+			return err
+		}
+		// If the archiveFile exists, some error occur, and archiveFile need to delete
+		// As the compressFile will remove the original archiveFile
+		// Else, everything is ok, delete the original log files
+		if _, err := os.Stat(archiveFilePath); !errors.Is(err, os.ErrNotExist) {
+			if err := os.Remove(archiveFilePath); err != nil {
+				return fmt.Errorf("err when removing file %s", archiveFilePath)
+			}
+		} else if err == nil {
+			for _, logFile := range logFiles {
+				if err := os.Remove(logFile); err != nil {
+					return fmt.Errorf("err when removing file %s", logFile)
+				}
+			}
+		} else {
+			return fmt.Errorf("Unknown err when clear original log file")
+		}
+	}
+	return nil
+}
+
+func parseLogFile(filename string) (map[string]int, error) {
+	file, err := os.Open(filename)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	stats := make(map[string]int)
+	scanner := bufio.NewScanner(file)
+
+	for scanner.Scan() {
+		line := scanner.Text()
+		fields := strings.Fields(line)
+		if len(fields) != 8 {
+			log.Printf("Skipping malformed line: %s\n", line)
+			continue
+		}
+
+		identity := fields[3]
+		bytesIn, err := strconv.Atoi(fields[6])
+		if err != nil {
+			log.Printf("Error parsing bytes in: %v\n", err)
+			continue
+		}
+		bytesOut, err := strconv.Atoi(fields[7])
+		if err != nil {
+			log.Printf("Error parsing bytes out: %v\n", err)
+			continue
+		}
+		totalBytes := bytesIn + bytesOut
+
+		stats[identity] += totalBytes
+	}
+
+	return stats, scanner.Err()
+}
+
+func (r *RadiusCredentials) sendAccountingData(identity string, bytes int) error {
+	// send an CodeAccessRequest for test
+	sessionID := strconv.FormatInt(time.Now().Unix(), 10)
+	log.Printf("Sending accounting data for identity %s, session ID %s, bytes %d\n", identity, sessionID, bytes)
+
+	// Send start accounting packet
+	startPacket := radius.New(radius.CodeAccountingRequest, []byte(r.Secret))
+	rfc2865.UserName_SetString(startPacket, identity)
+	rfc2865.NASIdentifier_SetString(startPacket, r.NASIdentifier)
+	rfc2866.AcctSessionID_Set(startPacket, []byte(sessionID))
+	rfc2866.AcctStatusType_Set(startPacket, rfc2866.AcctStatusType_Value_Start)
+	// log.Printf("Sending start packet\n")
+
+	startReply, err := radius.Exchange(context.Background(), startPacket, r.AccountingServer)
+	if err != nil {
+		return err
+	}
+	if startReply.Code != radius.CodeAccountingResponse {
+		return fmt.Errorf("unexpected response from RADIUS server")
+	}
+	// log.Printf("Received start reply\n")
+
+	// Send stop accounting packet
+	stopPacket := radius.New(radius.CodeAccountingRequest, r.Secret)
+	rfc2865.UserName_SetString(stopPacket, identity)
+	rfc2865.NASIdentifier_SetString(stopPacket, r.NASIdentifier)
+	rfc2866.AcctSessionID_SetString(stopPacket, sessionID)
+	rfc2866.AcctStatusType_Set(stopPacket, rfc2866.AcctStatusType_Value_Stop)
+	rfc2866.AcctOutputOctets_Set(stopPacket, rfc2866.AcctOutputOctets(bytes))
+	// log.Printf("Sending stop packet\n")
+
+	stopReply, err := radius.Exchange(context.Background(), stopPacket, r.AccountingServer)
+	if err != nil {
+		return err
+	}
+	if stopReply.Code != radius.CodeAccountingResponse {
+		return fmt.Errorf("unexpected response from RADIUS server")
+	}
+	// log.Printf("Received stop reply\n")
+
+	return nil
+}
+
+func (r *RadiusCredentials) accounting(accessLogger *log.Logger) error {
+	// Get the log directory
+	accessLogFileHandler, ok := accessLogger.Writer().(*os.File)
+	if !ok {
+		return fmt.Errorf("access log file is not a file")
+	}
+	accessLogFile := accessLogFileHandler.Name()
+	logDir := filepath.Dir(accessLogFile)
+	// rename the access.log file to access-<datetime>.log
+	now := time.Now()
+	dotIndex := strings.LastIndex(accessLogFile, ".")
+	accountingLogFile := accessLogFile[:dotIndex] + "-" + now.Format("20060102150405") + accessLogFile[dotIndex:]
+	if err := os.Rename(accessLogFile, accountingLogFile); err != nil {
+		return err
+	}
+	// ask accessLogger to reopen the access.log file
+	if err := setFileLoggerOutput(accessLogger, accessLogFile); err != nil {
+		return err
+	}
+	stats, err := parseLogFile(accountingLogFile)
+	if err != nil {
+		log.Printf("[ERR] Failed to parse log file %s: %v\n", accountingLogFile, err)
+		return err
+	}
+	// Sending accounting data
+	for identity, bytes := range stats {
+		err := r.sendAccountingData(identity, bytes)
+		if err != nil {
+			log.Printf("[ERR] Failed to send accounting data for identity %s: %v\n", identity, err)
+		} else {
+			log.Printf("Sent accounting data for identity %s\n", identity)
+		}
+	}
+	// Compress all access-<datetime>.log files in the log directory
+	if err := archiveLogs(logDir, 24); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/src/go-socks5/socks5.go b/src/go-socks5/socks5.go
@@ -6,8 +6,10 @@ import (
 	"log"
 	"net"
 	"os"
+	"time"
 
 	"golang.org/x/net/context"
+	"sync/atomic"
 )
 
 const (
@@ -46,10 +48,41 @@ type Config struct {
 	// Defaults to stdout.
 	Logger *log.Logger
 
+	// AccessLogger can be used to provide a custom access log target.
+	// Defaults to stdout.
+	AccessLogger *log.Logger
+
+	// ErrorLogger can be used to provide a custom error log target.
+	// Defaults to stdout.
+	ErrorLogger *log.Logger
+
 	// Optional function for dialing out
 	Dial func(ctx context.Context, network, addr string) (net.Conn, error)
 }
 
+// ConnWrapper is a wrapper around a net.Conn that provides a way to log read/write bytes
+type ConnWrapper struct {
+	net.Conn
+	ReadBytes  int64
+	WriteBytes int64
+}
+
+// Read reads data from the connection
+func (c *ConnWrapper) Read(b []byte) (int, error) {
+	n, err := c.Conn.Read(b)
+	// c.readBytes += int64(n) is not atomic
+	atomic.AddInt64(&c.ReadBytes, int64(n))
+	return n, err
+}
+
+// Write writes data to the connection
+func (c *ConnWrapper) Write(b []byte) (int, error) {
+	n, err := c.Conn.Write(b)
+	// c.writeBytes += int64(n) is not atomic
+	atomic.AddInt64(&c.WriteBytes, int64(n))
+	return n, err
+}
+
 // Server is reponsible for accepting connections and handling
 // the details of the SOCKS5 protocol
 type Server struct {
@@ -120,11 +153,15 @@ func (s *Server) Serve(l net.Listener) error {
 // ServeConn is used to serve a single connection.
 func (s *Server) ServeConn(conn net.Conn) error {
 	defer conn.Close()
+
+	// Wrap the connection to log read/write bytes
+	wrappedConn := &ConnWrapper{Conn: conn}
+
 	remoteAddr, ok := conn.RemoteAddr().(*net.TCPAddr)
 	if !ok {
 		return fmt.Errorf("Invalid remote address type: %T", conn.RemoteAddr())
 	}
-	bufConn := bufio.NewReader(conn)
+	bufConn := bufio.NewReader(wrappedConn)
 
 	// Read the version byte
 	version := []byte{0}
@@ -151,7 +188,7 @@ func (s *Server) ServeConn(conn net.Conn) error {
 	request, err := NewRequest(bufConn)
 	if err != nil {
 		if err == unrecognizedAddrType {
-			if err := sendReply(conn, addrTypeNotSupported, nil); err != nil {
+			if err := sendReply(wrappedConn, addrTypeNotSupported, nil); err != nil {
 				return fmt.Errorf("Failed to send reply: %v", err)
 			}
 		}
@@ -160,8 +197,21 @@ func (s *Server) ServeConn(conn net.Conn) error {
 	request.AuthContext = authContext
 	request.RemoteAddr = &AddrSpec{IP: remoteAddr.IP, Port: remoteAddr.Port}
 
+	// log access
+	// remoteAddr, identity, time_now, request, bytes_in, bytes_out
+	defer func() {
+		s.config.AccessLogger.Printf("%s %s %s %s %d %d",
+			remoteAddr,
+			authContext.Payload["Username"],
+			time.Now().Format(time.RFC3339),
+			request.DestAddr.String(),
+			wrappedConn.ReadBytes,
+			wrappedConn.WriteBytes,
+		)
+	}()
+
 	// Process the client request
-	if err := s.handleRequest(request, conn); err != nil {
+	if err := s.handleRequest(request, wrappedConn); err != nil {
 		err = fmt.Errorf("Failed to handle request: %v", err)
 		s.config.Logger.Printf("[ERR] socks %s: %v", remoteAddr, err)
 		return err
diff --git a/src/go.mod b/src/go.mod
@@ -7,7 +7,8 @@ replace github.com/armon/go-socks5 => ./go-socks5
 require (
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
 	github.com/kisom/netallow v0.0.0-20200609175051-08f6b004e41a
+	github.com/klauspost/compress v1.17.9
+	github.com/robfig/cron/v3 v3.0.1
+	golang.org/x/net v0.25.0
 	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
 )
-
-require golang.org/x/net v0.25.0 // indirect
diff --git a/src/go.sum b/src/go.sum
diff --git a/src/main.go b/src/main.go

-Original file line number
+Diff line change
 require (
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
 	github.com/kisom/netallow v0.0.0-20200609175051-08f6b004e41a
 +	github.com/klauspost/compress v1.17.9
 +	github.com/robfig/cron/v3 v3.0.1
 +	golang.org/x/net v0.25.0
 	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
+)
+-
 -require golang.org/x/net v0.25.0 // indirect