Increase max rule nesting depth to 10 (#220)

palantir · Aug 14, 2020 · b1e33e1 · b1e33e1
1 parent ddf502f
commit b1e33e1
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 9 deletions.
diff --git a/policy/approval/parse.go b/policy/approval/parse.go
@@ -46,7 +46,7 @@ func (p Policy) Parse(rules map[string]*Rule) (common.Evaluator, error) {
 }
 
 func parsePolicyR(policy interface{}, rules map[string]*Rule, depth int) (common.Evaluator, error) {
-	if depth > 5 {
+	if depth > 10 {
 		return nil, errors.New("reached maximum recursive depth while processing policy")
 	}
 

diff --git a/policy/approval/parse_test.go b/policy/approval/parse_test.go
@@ -192,13 +192,18 @@ func TestParsePolicyError_multikey(t *testing.T) {
 }
 
 func TestParsePolicyError_recursiveDepth(t *testing.T) {
-	// Recursive depth 5 is allowed
+	// Recursive depth 10 is allowed
 	policy := `
 - or:
-   - or:
+  - or:
+    - or:
       - or:
-         - or:
-            - rule1
+        - or:
+          - or:
+            - or:
+              - or:
+                - or:
+                  - rule1
 `
 
 	rules := `
@@ -208,14 +213,19 @@ func TestParsePolicyError_recursiveDepth(t *testing.T) {
 	_, err := loadAndParsePolicy(t, policy, rules)
 	require.NoError(t, err)
 
-	// Recursive depth 6 is not allowed
+	// Recursive depth 11 is not allowed
 	policy = `
 - or:
-   - or:
+  - or:
+    - or:
       - or:
-         - or:
+        - or:
+          - or:
             - or:
-               - rule1
+              - or:
+                - or:
+                  - or:
+                    - rule1
 `
 
 	_, err = loadAndParsePolicy(t, policy, rules)