Fix more

bgier-stytch · bgier-stytch · commit e5af15424ebf · 2025-07-23T13:46:25.000-07:00
diff --git a/stytch/consumer/api/test/test_consumer_idp.py b/stytch/consumer/api/test/test_consumer_idp.py
@@ -15,7 +15,6 @@
 from stytch.shared.rbac_local import (
     RBACPermissionError,
     perform_consumer_scope_authorization_check,
-    perform_consumer_scope_authorization_check_local,
 )
 
 
@@ -166,94 +165,6 @@ def test_perform_consumer_scope_authorization_check_multiple_scopes(self) -> Non
         # Act & Assert - should not raise an exception
         perform_consumer_scope_authorization_check(self.policy, scopes, req)
 
-    def test_perform_consumer_scope_authorization_check_local_success(self) -> None:
-        """Test successful local authorization with matching scope and action."""
-        # Arrange
-        scopes = [self.write_scope.scope]
-        req = ConsumerAuthorizationCheck(
-            resource_id="foo",
-            action="write",
-        )
-        
-        # Act & Assert - should not raise an exception
-        perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-
-    def test_perform_consumer_scope_authorization_check_local_wildcard_success(self) -> None:
-        """Test successful local authorization with wildcard scope."""
-        # Arrange
-        scopes = [self.wildcard_scope.scope]
-        req = ConsumerAuthorizationCheck(
-            resource_id="foo",
-            action="delete",  # Action not explicitly defined but covered by wildcard
-        )
-        
-        # Act & Assert - should not raise an exception
-        perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-
-    def test_perform_consumer_scope_authorization_check_local_wrong_resource(self) -> None:
-        """Test local authorization failure when resource doesn't match."""
-        # Arrange
-        scopes = [self.write_scope.scope]
-        req = ConsumerAuthorizationCheck(
-            resource_id="baz",  # Resource not in scope
-            action="write",
-        )
-        
-        # Act & Assert
-        with self.assertRaises(RBACPermissionError):
-            perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-
-    def test_perform_consumer_scope_authorization_check_local_wrong_action(self) -> None:
-        """Test local authorization failure when action doesn't match."""
-        # Arrange
-        scopes = [self.read_scope.scope]
-        req = ConsumerAuthorizationCheck(
-            resource_id="foo",
-            action="write",  # Action not in read scope
-        )
-        
-        # Act & Assert
-        with self.assertRaises(RBACPermissionError):
-            perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-
-    def test_perform_consumer_scope_authorization_check_local_no_matching_scope(self) -> None:
-        """Test local authorization failure when no scope matches."""
-        # Arrange
-        scopes = ["nonexistent:scope"]
-        req = ConsumerAuthorizationCheck(
-            resource_id="foo",
-            action="read",
-        )
-        
-        # Act & Assert
-        with self.assertRaises(RBACPermissionError):
-            perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-
-    def test_perform_consumer_scope_authorization_check_local_empty_scopes(self) -> None:
-        """Test local authorization failure with empty scopes list."""
-        # Arrange
-        scopes = []
-        req = ConsumerAuthorizationCheck(
-            resource_id="foo",
-            action="read",
-        )
-        
-        # Act & Assert
-        with self.assertRaises(RBACPermissionError):
-            perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-
-    def test_perform_consumer_scope_authorization_check_local_multiple_scopes(self) -> None:
-        """Test successful local authorization with multiple scopes where one matches."""
-        # Arrange
-        scopes = ["nonexistent:scope", self.read_scope.scope, "another:scope"]
-        req = ConsumerAuthorizationCheck(
-            resource_id="foo",
-            action="read",
-        )
-        
-        # Act & Assert - should not raise an exception
-        perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-
     @patch('stytch.consumer.api.idp.rbac_local.perform_consumer_scope_authorization_check')
     def test_introspect_token_network_with_authorization_check(self, mock_auth_check) -> None:
         """Test that introspect_token_network calls authorization check when provided."""
diff --git a/stytch/shared/rbac_local.py b/stytch/shared/rbac_local.py
@@ -93,7 +93,7 @@ def perform_consumer_authorization_check(
                     return
 
     # If we made it here, we didn't find a matching permission
-    raise RBACPermissionError(authorization_check)
+    raise RBACConsumerPermissionError(authorization_check)
 
 
 def perform_scope_authorization_check(
diff --git a/stytch/shared/tests/test_rbac_local.py b/stytch/shared/tests/test_rbac_local.py
@@ -12,11 +12,11 @@
     AuthorizationCheck as ConsumerAuthorizationCheck,
 )
 from stytch.shared.rbac_local import (
+    RBACConsumerPermissionError,
     RBACPermissionError,
     TenancyError,
     perform_authorization_check,
     perform_consumer_scope_authorization_check,
-    perform_consumer_scope_authorization_check_local,
     perform_scope_authorization_check,
 )
 
@@ -218,7 +218,7 @@ def test_perform_scope_authorization_check(self) -> None:
 
     def test_perform_consumer_scope_authorization_check(self) -> None:
         with self.subTest("has matching action but not resource"):
-            with self.assertRaises(RBACPermissionError):
+            with self.assertRaises(RBACConsumerPermissionError):
                 # Arrange
                 scopes = [self.write_scope.scope]
                 req = ConsumerAuthorizationCheck(
@@ -229,7 +229,7 @@ def test_perform_consumer_scope_authorization_check(self) -> None:
                 perform_consumer_scope_authorization_check(self.policy, scopes, req)
 
         with self.subTest("has matching resource but not action"):
-            with self.assertRaises(RBACPermissionError):
+            with self.assertRaises(RBACConsumerPermissionError):
                 # Arrange
                 scopes = [self.read_scope.scope]
                 req = ConsumerAuthorizationCheck(
@@ -262,7 +262,7 @@ def test_perform_consumer_scope_authorization_check(self) -> None:
             # Assertion is that no exception is raised
 
         with self.subTest("no matching scope"):
-            with self.assertRaises(RBACPermissionError):
+            with self.assertRaises(RBACConsumerPermissionError):
                 # Arrange
                 scopes = ["nonexistent:scope"]
                 req = ConsumerAuthorizationCheck(
@@ -273,7 +273,7 @@ def test_perform_consumer_scope_authorization_check(self) -> None:
                 perform_consumer_scope_authorization_check(self.policy, scopes, req)
 
         with self.subTest("empty scopes list"):
-            with self.assertRaises(RBACPermissionError):
+            with self.assertRaises(RBACConsumerPermissionError):
                 # Arrange
                 scopes = []
                 req = ConsumerAuthorizationCheck(
@@ -293,113 +293,3 @@ def test_perform_consumer_scope_authorization_check(self) -> None:
             # Act
             perform_consumer_scope_authorization_check(self.policy, scopes, req)
             # Assertion is that no exception is raised
-
-    def test_perform_consumer_scope_authorization_check_local(self) -> None:
-        with self.subTest("has matching action but not resource"):
-            with self.assertRaises(RBACPermissionError):
-                # Arrange
-                scopes = [self.write_scope.scope]
-                req = ConsumerAuthorizationCheck(
-                    resource_id="baz",
-                    action="write",
-                )
-                # Act
-                perform_consumer_scope_authorization_check_local(
-                    self.policy, scopes, req
-                )
-
-        with self.subTest("has matching resource but not action"):
-            with self.assertRaises(RBACPermissionError):
-                # Arrange
-                scopes = [self.read_scope.scope]
-                req = ConsumerAuthorizationCheck(
-                    resource_id="foo",
-                    action="write",
-                )
-                # Act
-                perform_consumer_scope_authorization_check_local(
-                    self.policy, scopes, req
-                )
-
-        with self.subTest("has matching resource and specific action"):
-            # Arrange
-            scopes = [self.write_scope.scope]
-            req = ConsumerAuthorizationCheck(
-                resource_id="foo",
-                action="write",
-            )
-            # Act
-            perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-            # Assertion is that no exception is raised
-
-        with self.subTest("has matching resource and star action"):
-            # Arrange
-            scopes = [self.wildcard_scope.scope]
-            req = ConsumerAuthorizationCheck(
-                resource_id="foo",
-                action="write",
-            )
-            # Act
-            perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-            # Assertion is that no exception is raised
-
-        with self.subTest("no matching scope"):
-            with self.assertRaises(RBACPermissionError):
-                # Arrange
-                scopes = ["nonexistent:scope"]
-                req = ConsumerAuthorizationCheck(
-                    resource_id="foo",
-                    action="read",
-                )
-                # Act
-                perform_consumer_scope_authorization_check_local(
-                    self.policy, scopes, req
-                )
-
-        with self.subTest("empty scopes list"):
-            with self.assertRaises(RBACPermissionError):
-                # Arrange
-                scopes = []
-                req = ConsumerAuthorizationCheck(
-                    resource_id="foo",
-                    action="read",
-                )
-                # Act
-                perform_consumer_scope_authorization_check_local(
-                    self.policy, scopes, req
-                )
-
-        with self.subTest("multiple scopes with one matching"):
-            # Arrange
-            scopes = ["nonexistent:scope", self.read_scope.scope, "another:scope"]
-            req = ConsumerAuthorizationCheck(
-                resource_id="foo",
-                action="read",
-            )
-            # Act
-            perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-            # Assertion is that no exception is raised
-
-        with self.subTest("bar resource with write scope"):
-            # Arrange
-            scopes = [
-                self.write_scope.scope
-            ]  # Use the write scope which includes bar resource
-            req = ConsumerAuthorizationCheck(
-                resource_id="bar",
-                action="write",
-            )
-            # Act
-            perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-            # Assertion is that no exception is raised
-
-        with self.subTest("wildcard scope with delete action"):
-            # Arrange
-            scopes = [self.wildcard_scope.scope]  # Use the wildcard scope
-            req = ConsumerAuthorizationCheck(
-                resource_id="foo",
-                action="delete",
-            )
-            # Act
-            perform_consumer_scope_authorization_check_local(self.policy, scopes, req)
-            # Assertion is that no exception is raised
