Fix MaxConcurrentQueries default and add circuit breaker (#425)

Major improvements:
- Fix test hangs by setting default MaxConcurrentQueries to 1000
- Add circuit breaker pattern to prevent cascading failures
- Limit concurrent goroutines to prevent resource exhaustion
- Re-enable gosec and staticcheck linters
- Add 955 lines of comprehensive tests

Author: semihalev

.golangci.yml

@@ -8,13 +8,12 @@ run:
 linters:
   disable:
     - errcheck
-    - staticcheck
-    - goconst
-    - gosec
   enable:
     - govet
     - ineffassign
     - unused
     - misspell
     - unconvert
     - gocritic
+    - gosec
+    - staticcheck

api/api.go

@@ -175,8 +175,9 @@ func (a *API) Run(ctx context.Context) {
 	a.router.GET("/metrics", a.metrics)
 
 	srv := &http.Server{
-		Addr:    a.addr,
-		Handler: a.router,
+		Addr:              a.addr,
+		Handler:           a.router,
+		ReadHeaderTimeout: 10 * time.Second,
 	}
 
 	go func() {

api/router.go

@@ -50,7 +50,7 @@ func (rt *Router) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
 			zlog.Error("Recovered in API", "recover", r)
 
-			_, _ = os.Stderr.WriteString(fmt.Sprintf("panic: %v\n\n", r))
+			_, _ = fmt.Fprintf(os.Stderr, "panic: %v\n\n", r)
 			debug.PrintStack()
 		}
 	}()

api/tree.go

@@ -323,28 +323,28 @@ func (node *treeNode) addChild(child *treeNode) {
 	case node.startIndex == 0:
 		node.startIndex = firstChar
 		node.indices = []uint8{0}
-		node.endIndex = node.startIndex + uint8(len(node.indices))
+		node.endIndex = node.startIndex + uint8(len(node.indices)) //nolint:gosec // G115 - slice length is controlled
 
 	case firstChar < node.startIndex:
 		diff := node.startIndex - firstChar
-		newIndices := make([]uint8, diff+uint8(len(node.indices)))
+		newIndices := make([]uint8, diff+uint8(len(node.indices))) //nolint:gosec // G115 - slice length is controlled
 		copy(newIndices[diff:], node.indices)
 		node.startIndex = firstChar
 		node.indices = newIndices
-		node.endIndex = node.startIndex + uint8(len(node.indices))
+		node.endIndex = node.startIndex + uint8(len(node.indices)) //nolint:gosec // G115 - slice length is controlled
 
 	case firstChar >= node.endIndex:
 		diff := firstChar - node.endIndex + 1
-		newIndices := make([]uint8, diff+uint8(len(node.indices)))
+		newIndices := make([]uint8, diff+uint8(len(node.indices))) //nolint:gosec // G115 - slice length is controlled
 		copy(newIndices, node.indices)
 		node.indices = newIndices
-		node.endIndex = node.startIndex + uint8(len(node.indices))
+		node.endIndex = node.startIndex + uint8(len(node.indices)) //nolint:gosec // G115 - slice length is controlled
 	}
 
 	index := node.indices[firstChar-node.startIndex]
 
 	if index == 0 {
-		node.indices[firstChar-node.startIndex] = uint8(len(node.children))
+		node.indices[firstChar-node.startIndex] = uint8(len(node.children)) //nolint:gosec // G115 - children length is controlled
 		node.children = append(node.children, child)
 		return
 	}

authcache/authserver_test.go

@@ -19,7 +19,7 @@ func Test_TrySort(t *testing.T) {
 		s.List = append(s.List, NewAuthServer(fmt.Sprintf("[::%d]:53", i), IPv6))
 	}
 
-	r := rand.New(rand.NewSource(time.Now().UnixNano()))
+	r := rand.New(rand.NewSource(time.Now().UnixNano())) //nolint:gosec // G404 - test file, not used for crypto
 	for i := 0; i < 2000; i++ {
 		for j := range s.List {
 			s.List[j].Count++

cache/cache.go

@@ -136,11 +136,11 @@ func (c *Cache) clearSegments(percent int) {
 	}
 
 	// Rotate which segments we clear to be fair
-	startSegment := c.evictionCount.Add(1) % uint64(segmentCount)
+	startSegment := c.evictionCount.Add(1) % uint64(segmentCount) //nolint:gosec // G115 - segmentCount is a constant
 
 	for i := 0; i < segmentsToClear; i++ {
-		segmentIndex := (startSegment + uint64(i)) % uint64(segmentCount)
-		c.data.ClearSegment(int(segmentIndex))
+		segmentIndex := (startSegment + uint64(i)) % uint64(segmentCount) //nolint:gosec // G115 - i is small and bounded
+		c.data.ClearSegment(int(segmentIndex))                            //nolint:gosec // G115 - segmentIndex is always < segmentCount
 	}
 }
 

cache/cache_bound_test.go

@@ -24,7 +24,7 @@ func TestCacheBoundStrict(t *testing.T) {
 
 	// Add items continuously and check size
 	for i := 0; i < maxSize*10; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - i is bounded by loop
 
 		currentSize := int64(c.Len())
 		for {
@@ -93,7 +93,7 @@ func TestCacheBoundUnderHeavyConcurrency(t *testing.T) {
 			defer wg.Done()
 
 			for i := 0; i < itemsPerGoroutine; i++ {
-				key := uint64(goroutineID*itemsPerGoroutine + i)
+				key := uint64(goroutineID*itemsPerGoroutine + i) //nolint:gosec // G115 - bounded by test parameters
 				c.Add(key, fmt.Sprintf("value-%d-%d", goroutineID, i))
 
 				// Occasionally check size
@@ -132,7 +132,7 @@ func TestCacheEvictionEffectiveness(t *testing.T) {
 
 	// Fill cache completely
 	for i := 0; i < maxSize; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - i is bounded by maxSize
 	}
 
 	initialSize := c.Len()
@@ -142,21 +142,21 @@ func TestCacheEvictionEffectiveness(t *testing.T) {
 
 	// Add more items to trigger eviction
 	for i := maxSize; i < maxSize*2; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - i is bounded by maxSize*2
 	}
 
 	// Count how many of the original items remain
 	originalRemaining := 0
 	for i := 0; i < maxSize; i++ {
-		if _, found := c.Get(uint64(i)); found {
+		if _, found := c.Get(uint64(i)); found { //nolint:gosec // G115 - i is bounded by maxSize
 			originalRemaining++
 		}
 	}
 
 	// Count how many new items were added
 	newItems := 0
 	for i := maxSize; i < maxSize*2; i++ {
-		if _, found := c.Get(uint64(i)); found {
+		if _, found := c.Get(uint64(i)); found { //nolint:gosec // G115 - i is bounded by maxSize*2
 			newItems++
 		}
 	}
@@ -211,12 +211,12 @@ func TestCacheSizeMonitoring(t *testing.T) {
 	start := time.Now()
 	i := 0
 	for time.Since(start) < 500*time.Millisecond {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - i is loop counter
 		i++
 
 		// Add some reads to simulate real usage
 		if i%10 == 0 {
-			c.Get(uint64(i / 2))
+			c.Get(uint64(i / 2)) //nolint:gosec // G115 - i is loop counter
 		}
 	}
 
@@ -268,7 +268,7 @@ func TestCacheEvictionDeadlock(t *testing.T) {
 	go func() {
 		// Continuously add items
 		for i := 0; i < 10000; i++ {
-			c.Add(uint64(i), i)
+			c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 		}
 		done <- true
 	}()
@@ -291,7 +291,7 @@ func TestCacheEvictionWithLargeItems(t *testing.T) {
 		// Create values of different sizes
 		size := (i % 100) + 1
 		value := make([]byte, size*100) // Simulate different memory usage
-		c.Add(uint64(i), value)
+		c.Add(uint64(i), value)         //nolint:gosec // G115 - test loop
 
 		if i%100 == 0 {
 			currentSize := c.Len()
@@ -316,15 +316,15 @@ func BenchmarkCacheBoundChecking(b *testing.B) {
 
 			// Pre-fill to 80% capacity
 			for i := 0; i < size*8/10; i++ {
-				c.Add(uint64(i), i)
+				c.Add(uint64(i), i) //nolint:gosec // G115 - benchmark loop
 			}
 
 			b.ResetTimer()
 			b.RunParallel(func(pb *testing.PB) {
 				i := 0
 				for pb.Next() {
 					// This will trigger eviction checking
-					c.Add(uint64(i), i)
+					c.Add(uint64(i), i) //nolint:gosec // G115 - benchmark loop
 					i++
 				}
 			})

cache/cache_comparison_test.go

@@ -36,9 +36,9 @@ func benchmarkCachePerf(b *testing.B, size int, readRatio float64) {
 
 	b.ResetTimer()
 	b.RunParallel(func(pb *testing.PB) {
-		rng := rand.New(rand.NewSource(time.Now().UnixNano()))
+		rng := rand.New(rand.NewSource(time.Now().UnixNano())) //nolint:gosec // G404 - benchmark test
 		for pb.Next() {
-			key := keys[rng.Intn(size)]
+			key := keys[rng.Intn(size)] //nolint:gosec // G115 - bounded by size
 			r := rng.Float64()
 
 			switch {
@@ -57,7 +57,7 @@ func generateTestKeys(n int) []uint64 {
 	keys := make([]uint64, n)
 	for i := 0; i < n; i++ {
 		// Simulate DNS cache keys (spread out)
-		keys[i] = uint64(i) * 0x9E3779B9
+		keys[i] = uint64(i) * 0x9E3779B9 //nolint:gosec // G115 - test key generation
 	}
 	return keys
 }
@@ -103,7 +103,7 @@ func benchmarkConcurrent(b *testing.B, c cacheOps, numGoroutines int) {
 	for i := 0; i < numGoroutines; i++ {
 		go func(id int) {
 			defer wg.Done()
-			rng := rand.New(rand.NewSource(time.Now().UnixNano() + int64(id)))
+			rng := rand.New(rand.NewSource(time.Now().UnixNano() + int64(id))) //nolint:gosec // G404 - test random
 
 			for j := 0; j < opsPerGoroutine; j++ {
 				key := keys[rng.Intn(len(keys))]

cache/cache_eviction_test.go

@@ -11,7 +11,7 @@ func TestCacheEviction(t *testing.T) {
 
 	// Fill the cache to capacity
 	for i := 0; i < cacheSize; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 	}
 
 	if c.Len() != cacheSize {
@@ -20,7 +20,7 @@ func TestCacheEviction(t *testing.T) {
 
 	// Add more items to trigger eviction
 	for i := cacheSize; i < cacheSize+50; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 
 		// Check size after each batch of additions
 		if i%10 == 0 {
@@ -42,7 +42,7 @@ func TestCacheEviction(t *testing.T) {
 	// Just verify that some items are still retrievable
 	found := 0
 	for i := 0; i < cacheSize+50; i++ {
-		if _, ok := c.Get(uint64(i)); ok {
+		if _, ok := c.Get(uint64(i)); ok { //nolint:gosec // G115 - test loop
 			found++
 		}
 	}
@@ -82,7 +82,7 @@ func TestCacheEvictionConcurrent(t *testing.T) {
 	for i := 0; i < 10; i++ {
 		go func(start int) {
 			for j := 0; j < 200; j++ {
-				c.Add(uint64(start*1000+j), j)
+				c.Add(uint64(start*1000+j), j) //nolint:gosec // G115 - test loop
 			}
 			done <- true
 		}(i)
@@ -107,7 +107,7 @@ func BenchmarkCacheWithEviction(b *testing.B) {
 		i := 0
 		for pb.Next() {
 			// This will trigger eviction periodically
-			c.Add(uint64(i), i)
+			c.Add(uint64(i), i) //nolint:gosec // G115 - benchmark loop
 			i++
 		}
 	})

cache/cache_test.go

@@ -96,12 +96,12 @@ func TestCacheConcurrency(t *testing.T) {
 		go func(id int) {
 			defer wg.Done()
 			for j := 0; j < opsPerGoroutine; j++ {
-				key := uint64(id*opsPerGoroutine + j)
+				key := uint64(id*opsPerGoroutine + j) //nolint:gosec // G115 - test loop
 				c.Add(key, fmt.Sprintf("value-%d-%d", id, j))
 
 				// Randomly access some values
 				if j%10 == 0 {
-					randomKey := uint64((id + j) % (numGoroutines * opsPerGoroutine))
+					randomKey := uint64((id + j) % (numGoroutines * opsPerGoroutine)) //nolint:gosec // G115 - test calculation
 					c.Get(randomKey)
 				}
 			}
@@ -122,7 +122,7 @@ func TestCacheRemoveConcurrency(t *testing.T) {
 
 	// Pre-populate cache
 	for i := 0; i < numGoroutines*keysPerGoroutine; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - test loop //nolint:gosec // G115 - test loop
 	}
 
 	var wg sync.WaitGroup
@@ -133,7 +133,7 @@ func TestCacheRemoveConcurrency(t *testing.T) {
 		go func(id int) {
 			defer wg.Done()
 			for j := 0; j < keysPerGoroutine; j++ {
-				key := uint64(id*keysPerGoroutine + j)
+				key := uint64(id*keysPerGoroutine + j) //nolint:gosec // G115 - test loop
 				c.Remove(key)
 			}
 		}(i)
@@ -178,22 +178,22 @@ func TestCacheCapacity(t *testing.T) {
 
 	// Add some items
 	for i := 0; i < 50; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 	}
 
 	// Verify size
 	assert.Equal(t, 50, c.Len())
 
 	// Add more items up to capacity
 	for i := 50; i < 100; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 	}
 
 	assert.Equal(t, 100, c.Len())
 
 	// Adding more should maintain capacity
 	for i := 100; i < 150; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 	}
 
 	assert.LessOrEqual(t, c.Len(), 100, "Cache should not exceed capacity")
@@ -205,14 +205,14 @@ func BenchmarkCacheGet(b *testing.B) {
 
 	// Pre-populate
 	for i := 0; i < 10000; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 	}
 
 	b.ResetTimer()
 	b.RunParallel(func(pb *testing.PB) {
 		i := 0
 		for pb.Next() {
-			c.Get(uint64(i % 10000))
+			c.Get(uint64(i % 10000)) //nolint:gosec // G115 - test loop
 			i++
 		}
 	})
@@ -225,7 +225,7 @@ func BenchmarkCacheAdd(b *testing.B) {
 	b.RunParallel(func(pb *testing.PB) {
 		i := 0
 		for pb.Next() {
-			c.Add(uint64(i), i)
+			c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 			i++
 		}
 	})
@@ -236,17 +236,17 @@ func BenchmarkCacheMixed(b *testing.B) {
 
 	// Pre-populate
 	for i := 0; i < 5000; i++ {
-		c.Add(uint64(i), i)
+		c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 	}
 
 	b.ResetTimer()
 	b.RunParallel(func(pb *testing.PB) {
 		i := 0
 		for pb.Next() {
 			if i%2 == 0 {
-				c.Get(uint64(i % 10000))
+				c.Get(uint64(i % 10000)) //nolint:gosec // G115 - test loop //nolint:gosec // G115 - test loop
 			} else {
-				c.Add(uint64(i), i)
+				c.Add(uint64(i), i) //nolint:gosec // G115 - test loop
 			}
 			i++
 		}
@@ -262,13 +262,13 @@ func TestCacheMemoryUsage(t *testing.T) {
 
 	// Add items
 	for i := 0; i < 10000; i++ {
-		c.Add(uint64(i), fmt.Sprintf("value-%d", i))
+		c.Add(uint64(i), fmt.Sprintf("value-%d", i)) //nolint:gosec // G115 - test loop
 	}
 
 	// Just verify the cache is working
 	found := 0
 	for i := 0; i < 100; i++ {
-		if _, ok := c.Get(uint64(i)); ok {
+		if _, ok := c.Get(uint64(i)); ok { //nolint:gosec // G115 - test loop
 			found++
 		}
 	}