/modules/gdprEnforcement.js

https://github.com/prebid/Prebid.js · JavaScript · 401 lines · 263 code · 37 blank · 101 comment · 77 complexity · a253c9fdc53bb6720de76ef0edaaf167 MD5 · raw file 

    

  1. /**
    2. 

  2.  * This module gives publishers extra set of features to enforce individual purposes of TCF v2
    3. 

  3.  */
    4. 

  4. 

  5. import * as utils from '../src/utils.js';
    6. 

  6. import { config } from '../src/config.js';
    7. 

  7. import { hasDeviceAccess } from '../src/utils.js';
    8. 

  8. import adapterManager, { gdprDataHandler } from '../src/adapterManager.js';
    9. 

  9. import find from 'core-js-pure/features/array/find.js';
    10. 

  10. import includes from 'core-js-pure/features/array/includes.js';
    11. 

  11. import { registerSyncInner } from '../src/adapters/bidderFactory.js';
    12. 

  12. import { getHook } from '../src/hook.js';
    13. 

  13. import { validateStorageEnforcement } from '../src/storageManager.js';
    14. 

  14. import events from '../src/events.js';
    15. 

  15. import { EVENTS } from '../src/constants.json';
    16. 

  16. 

  17. const TCF2 = {
    18. 

  18.   'purpose1': { id: 1, name: 'storage' },
    19. 

  19.   'purpose2': { id: 2, name: 'basicAds' },
    20. 

  20.   'purpose7': { id: 7, name: 'measurement' }
    21. 

  21. }
    22. 

  22. 

  23. /*
    24. 

  24.   These rules would be used if `consentManagement.gdpr.rules` is undefined by the publisher.
    25. 

  25. */
    26. 

  26. const DEFAULT_RULES = [{
    27. 

  27.   purpose: 'storage',
    28. 

  28.   enforcePurpose: true,
    29. 

  29.   enforceVendor: true,
    30. 

  30.   vendorExceptions: []
    31. 

  31. }, {
    32. 

  32.   purpose: 'basicAds',
    33. 

  33.   enforcePurpose: true,
    34. 

  34.   enforceVendor: true,
    35. 

  35.   vendorExceptions: []
    36. 

  36. }];
    37. 

  37. 

  38. export let purpose1Rule;
    39. 

  39. export let purpose2Rule;
    40. 

  40. export let purpose7Rule;
    41. 

  41. 

  42. export let enforcementRules;
    43. 

  43. 

  44. const storageBlocked = [];
    45. 

  45. const biddersBlocked = [];
    46. 

  46. const analyticsBlocked = [];
    47. 

  47. 

  48. let addedDeviceAccessHook = false;
    49. 

  49. 

  50. // Helps in stubbing these functions in unit tests.
    51. 

  51. export const internal = {
    52. 

  52.   getGvlidForBidAdapter,
    53. 

  53.   getGvlidForUserIdModule,
    54. 

  54.   getGvlidForAnalyticsAdapter
    55. 

  55. };
    56. 

  56. 

  57. /**
    58. 

  58.  * Returns GVL ID for a Bid adapter / an USERID submodule / an Analytics adapter.
    59. 

  59.  * If modules of different types have the same moduleCode: For example, 'appnexus' is the code for both Bid adapter and Analytics adapter,
    60. 

  60.  * then, we assume that their GVL IDs are same. This function first checks if GVL ID is defined for a Bid adapter, if not found, tries to find User ID
    61. 

  61.  * submodule's GVL ID, if not found, tries to find Analytics adapter's GVL ID. In this process, as soon as it finds a GVL ID, it returns it
    62. 

  62.  * without going to the next check.
    63. 

  63.  * @param {{string|Object}} - module
    64. 

  64.  * @return {number} - GVL ID
    65. 

  65.  */
    66. 

  66. export function getGvlid(module) {
    67. 

  67.   let gvlid = null;
    68. 

  68.   if (module) {
    69. 

  69.     // Check user defined GVL Mapping in pbjs.setConfig()
    70. 

  70.     const gvlMapping = config.getConfig('gvlMapping');
    71. 

  71. 

  72.     // For USER ID Module, we pass the submodule object itself as the "module" parameter, this check is required to grab the module code
    73. 

  73.     const moduleCode = typeof module === 'string' ? module : module.name;
    74. 

  74. 

  75.     // Return GVL ID from user defined gvlMapping
    76. 

  76.     if (gvlMapping && gvlMapping[moduleCode]) {
    77. 

  77.       gvlid = gvlMapping[moduleCode];
    78. 

  78.       return gvlid;
    79. 

  79.     }
    80. 

  80. 

  81.     gvlid = internal.getGvlidForBidAdapter(moduleCode) || internal.getGvlidForUserIdModule(module) || internal.getGvlidForAnalyticsAdapter(moduleCode);
    82. 

  82.   }
    83. 

  83.   return gvlid;
    84. 

  84. }
    85. 

  85. 

  86. /**
    87. 

  87.  * Returns GVL ID for a bid adapter. If the adapter does not have an associated GVL ID, it returns 'null'.
    88. 

  88.  * @param  {string=} bidderCode - The 'code' property of the Bidder spec.
    89. 

  89.  * @return {number} GVL ID
    90. 

  90.  */
    91. 

  91. function getGvlidForBidAdapter(bidderCode) {
    92. 

  92.   let gvlid = null;
    93. 

  93.   bidderCode = bidderCode || config.getCurrentBidder();
    94. 

  94.   if (bidderCode) {
    95. 

  95.     const bidder = adapterManager.getBidAdapter(bidderCode);
    96. 

  96.     if (bidder && bidder.getSpec) {
    97. 

  97.       gvlid = bidder.getSpec().gvlid;
    98. 

  98.     }
    99. 

  99.   }
    100. 

  100.   return gvlid;
    101. 

  101. }
    102. 

  102. 

  103. /**
    104. 

  104.  * Returns GVL ID for an userId submodule. If an userId submodules does not have an associated GVL ID, it returns 'null'.
    105. 

  105.  * @param {Object} userIdModule
    106. 

  106.  * @return {number} GVL ID
    107. 

  107.  */
    108. 

  108. function getGvlidForUserIdModule(userIdModule) {
    109. 

  109.   return (typeof userIdModule === 'object' ? userIdModule.gvlid : null);
    110. 

  110. }
    111. 

  111. 

  112. /**
    113. 

  113.  * Returns GVL ID for an analytics adapter. If an analytics adapter does not have an associated GVL ID, it returns 'null'.
    114. 

  114.  * @param {string} code - 'provider' property on the analytics adapter config
    115. 

  115.  * @return {number} GVL ID
    116. 

  116.  */
    117. 

  117. function getGvlidForAnalyticsAdapter(code) {
    118. 

  118.   return adapterManager.getAnalyticsAdapter(code) && (adapterManager.getAnalyticsAdapter(code).gvlid || null);
    119. 

  119. }
    120. 

  120. 

  121. /**
    122. 

  122.  * This function takes in a rule and consentData and validates against the consentData provided. Depending on what it returns,
    123. 

  123.  * the caller may decide to suppress a TCF-sensitive activity.
    124. 

  124.  * @param {Object} rule - enforcement rules set in config
    125. 

  125.  * @param {Object} consentData - gdpr consent data
    126. 

  126.  * @param {string=} currentModule - Bidder code of the current module
    127. 

  127.  * @param {number=} gvlId - GVL ID for the module
    128. 

  128.  * @returns {boolean}
    129. 

  129.  */
    130. 

  130. export function validateRules(rule, consentData, currentModule, gvlId) {
    131. 

  131.   const purposeId = TCF2[Object.keys(TCF2).filter(purposeName => TCF2[purposeName].name === rule.purpose)[0]].id;
    132. 

  132. 

  133.   // return 'true' if vendor present in 'vendorExceptions'
    134. 

  134.   if (includes(rule.vendorExceptions || [], currentModule)) {
    135. 

  135.     return true;
    136. 

  136.   }
    137. 

  137. 

  138.   // get data from the consent string
    139. 

  139.   const purposeConsent = utils.deepAccess(consentData, `vendorData.purpose.consents.${purposeId}`);
    140. 

  140.   const vendorConsent = utils.deepAccess(consentData, `vendorData.vendor.consents.${gvlId}`);
    141. 

  141.   const liTransparency = utils.deepAccess(consentData, `vendorData.purpose.legitimateInterests.${purposeId}`);
    142. 

  142. 

  143.   /*
    144. 

  144.     Since vendor exceptions have already been handled, the purpose as a whole is allowed if it's not being enforced
    145. 

  145.     or the user has consented. Similar with vendors.
    146. 

  146.   */
    147. 

  147.   const purposeAllowed = rule.enforcePurpose === false || purposeConsent === true;
    148. 

  148.   const vendorAllowed = rule.enforceVendor === false || vendorConsent === true;
    149. 

  149. 

  150.   /*
    151. 

  151.     Few if any vendors should be declaring Legitimate Interest for Device Access (Purpose 1), but some are claiming
    152. 

  152.     LI for Basic Ads (Purpose 2). Prebid.js can't check to see who's declaring what legal basis, so if LI has been
    153. 

  153.     established for Purpose 2, allow the auction to take place and let the server sort out the legal basis calculation.
    154. 

  154.   */
    155. 

  155.   if (purposeId === 2) {
    156. 

  156.     return (purposeAllowed && vendorAllowed) || (liTransparency === true);
    157. 

  157.   }
    158. 

  158. 

  159.   return purposeAllowed && vendorAllowed;
    160. 

  160. }
    161. 

  161. 

  162. /**
    163. 

  163.  * This hook checks whether module has permission to access device or not. Device access include cookie and local storage
    164. 

  164.  * @param {Function} fn reference to original function (used by hook logic)
    165. 

  165.  * @param {Number=} gvlid gvlid of the module
    166. 

  166.  * @param {string=} moduleName name of the module
    167. 

  167.  */
    168. 

  168. export function deviceAccessHook(fn, gvlid, moduleName, result) {
    169. 

  169.   result = Object.assign({}, {
    170. 

  170.     hasEnforcementHook: true
    171. 

  171.   });
    172. 

  172.   if (!hasDeviceAccess()) {
    173. 

  173.     utils.logWarn('Device access is disabled by Publisher');
    174. 

  174.     result.valid = false;
    175. 

  175.     fn.call(this, gvlid, moduleName, result);
    176. 

  176.   } else {
    177. 

  177.     const consentData = gdprDataHandler.getConsentData();
    178. 

  178.     if (consentData && consentData.gdprApplies) {
    179. 

  179.       if (consentData.apiVersion === 2) {
    180. 

  180.         const curBidder = config.getCurrentBidder();
    181. 

  181.         // Bidders have a copy of storage object with bidder code binded. Aliases will also pass the same bidder code when invoking storage functions and hence if alias tries to access device we will try to grab the gvl id for alias instead of original bidder
    182. 

  182.         if (curBidder && (curBidder != moduleName) && adapterManager.aliasRegistry[curBidder] === moduleName) {
    183. 

  183.           gvlid = getGvlid(curBidder);
    184. 

  184.         } else {
    185. 

  185.           gvlid = getGvlid(moduleName) || gvlid;
    186. 

  186.         }
    187. 

  187.         const curModule = moduleName || curBidder;
    188. 

  188.         let isAllowed = validateRules(purpose1Rule, consentData, curModule, gvlid);
    189. 

  189.         if (isAllowed) {
    190. 

  190.           result.valid = true;
    191. 

  191.           fn.call(this, gvlid, moduleName, result);
    192. 

  192.         } else {
    193. 

  193.           curModule && utils.logWarn(`TCF2 denied device access for ${curModule}`);
    194. 

  194.           result.valid = false;
    195. 

  195.           storageBlocked.push(curModule);
    196. 

  196.           fn.call(this, gvlid, moduleName, result);
    197. 

  197.         }
    198. 

  198.       } else {
    199. 

  199.         // The module doesn't enforce TCF1.1 strings
    200. 

  200.         result.valid = true;
    201. 

  201.         fn.call(this, gvlid, moduleName, result);
    202. 

  202.       }
    203. 

  203.     } else {
    204. 

  204.       result.valid = true;
    205. 

  205.       fn.call(this, gvlid, moduleName, result);
    206. 

  206.     }
    207. 

  207.   }
    208. 

  208. }
    209. 

  209. 

  210. /**
    211. 

  211.  * This hook checks if a bidder has consent for user sync or not
    212. 

  212.  * @param {Function} fn reference to original function (used by hook logic)
    213. 

  213.  * @param  {...any} args args
    214. 

  214.  */
    215. 

  215. export function userSyncHook(fn, ...args) {
    216. 

  216.   const consentData = gdprDataHandler.getConsentData();
    217. 

  217.   if (consentData && consentData.gdprApplies) {
    218. 

  218.     if (consentData.apiVersion === 2) {
    219. 

  219.       const curBidder = config.getCurrentBidder();
    220. 

  220.       const gvlid = getGvlid(curBidder);
    221. 

  221.       let isAllowed = validateRules(purpose1Rule, consentData, curBidder, gvlid);
    222. 

  222.       if (isAllowed) {
    223. 

  223.         fn.call(this, ...args);
    224. 

  224.       } else {
    225. 

  225.         utils.logWarn(`User sync not allowed for ${curBidder}`);
    226. 

  226.         storageBlocked.push(curBidder);
    227. 

  227.       }
    228. 

  228.     } else {
    229. 

  229.       // The module doesn't enforce TCF1.1 strings
    230. 

  230.       fn.call(this, ...args);
    231. 

  231.     }
    232. 

  232.   } else {
    233. 

  233.     fn.call(this, ...args);
    234. 

  234.   }
    235. 

  235. }
    236. 

  236. 

  237. /**
    238. 

  238.  * This hook checks if user id module is given consent or not
    239. 

  239.  * @param {Function} fn reference to original function (used by hook logic)
    240. 

  240.  * @param  {Submodule[]} submodules Array of user id submodules
    241. 

  241.  * @param {Object} consentData GDPR consent data
    242. 

  242.  */
    243. 

  243. export function userIdHook(fn, submodules, consentData) {
    244. 

  244.   if (consentData && consentData.gdprApplies) {
    245. 

  245.     if (consentData.apiVersion === 2) {
    246. 

  246.       let userIdModules = submodules.map((submodule) => {
    247. 

  247.         const gvlid = getGvlid(submodule.submodule);
    248. 

  248.         const moduleName = submodule.submodule.name;
    249. 

  249.         let isAllowed = validateRules(purpose1Rule, consentData, moduleName, gvlid);
    250. 

  250.         if (isAllowed) {
    251. 

  251.           return submodule;
    252. 

  252.         } else {
    253. 

  253.           utils.logWarn(`User denied permission to fetch user id for ${moduleName} User id module`);
    254. 

  254.           storageBlocked.push(moduleName);
    255. 

  255.         }
    256. 

  256.         return undefined;
    257. 

  257.       }).filter(module => module)
    258. 

  258.       fn.call(this, userIdModules, { ...consentData, hasValidated: true });
    259. 

  259.     } else {
    260. 

  260.       // The module doesn't enforce TCF1.1 strings
    261. 

  261.       fn.call(this, submodules, consentData);
    262. 

  262.     }
    263. 

  263.   } else {
    264. 

  264.     fn.call(this, submodules, consentData);
    265. 

  265.   }
    266. 

  266. }
    267. 

  267. 

  268. /**
    269. 

  269.  * Checks if bidders are allowed in the auction.
    270. 

  270.  * Enforces "purpose 2 (Basic Ads)" of TCF v2.0 spec
    271. 

  271.  * @param {Function} fn - Function reference to the original function.
    272. 

  272.  * @param {Array<adUnits>} adUnits
    273. 

  273.  */
    274. 

  274. export function makeBidRequestsHook(fn, adUnits, ...args) {
    275. 

  275.   const consentData = gdprDataHandler.getConsentData();
    276. 

  276.   if (consentData && consentData.gdprApplies) {
    277. 

  277.     if (consentData.apiVersion === 2) {
    278. 

  278.       adUnits.forEach(adUnit => {
    279. 

  279.         adUnit.bids = adUnit.bids.filter(bid => {
    280. 

  280.           const currBidder = bid.bidder;
    281. 

  281.           const gvlId = getGvlid(currBidder);
    282. 

  282.           if (includes(biddersBlocked, currBidder)) return false;
    283. 

  283.           const isAllowed = !!validateRules(purpose2Rule, consentData, currBidder, gvlId);
    284. 

  284.           if (!isAllowed) {
    285. 

  285.             utils.logWarn(`TCF2 blocked auction for ${currBidder}`);
    286. 

  286.             biddersBlocked.push(currBidder);
    287. 

  287.           }
    288. 

  288.           return isAllowed;
    289. 

  289.         });
    290. 

  290.       });
    291. 

  291.       fn.call(this, adUnits, ...args);
    292. 

  292.     } else {
    293. 

  293.       // The module doesn't enforce TCF1.1 strings
    294. 

  294.       fn.call(this, adUnits, ...args);
    295. 

  295.     }
    296. 

  296.   } else {
    297. 

  297.     fn.call(this, adUnits, ...args);
    298. 

  298.   }
    299. 

  299. }
    300. 

  300. 

  301. /**
    302. 

  302.  * Checks if Analytics adapters are allowed to send data to their servers for furhter processing.
    303. 

  303.  * Enforces "purpose 7 (Measurement)" of TCF v2.0 spec
    304. 

  304.  * @param {Function} fn - Function reference to the original function.
    305. 

  305.  * @param {Array<AnalyticsAdapterConfig>} config - Configuration object passed to pbjs.enableAnalytics()
    306. 

  306.  */
    307. 

  307. export function enableAnalyticsHook(fn, config) {
    308. 

  308.   const consentData = gdprDataHandler.getConsentData();
    309. 

  309.   if (consentData && consentData.gdprApplies) {
    310. 

  310.     if (consentData.apiVersion === 2) {
    311. 

  311.       if (!utils.isArray(config)) {
    312. 

  312.         config = [config]
    313. 

  313.       }
    314. 

  314.       config = config.filter(conf => {
    315. 

  315.         const analyticsAdapterCode = conf.provider;
    316. 

  316.         const gvlid = getGvlid(analyticsAdapterCode);
    317. 

  317.         const isAllowed = !!validateRules(purpose7Rule, consentData, analyticsAdapterCode, gvlid);
    318. 

  318.         if (!isAllowed) {
    319. 

  319.           analyticsBlocked.push(analyticsAdapterCode);
    320. 

  320.           utils.logWarn(`TCF2 blocked analytics adapter ${conf.provider}`);
    321. 

  321.         }
    322. 

  322.         return isAllowed;
    323. 

  323.       });
    324. 

  324.       fn.call(this, config);
    325. 

  325.     } else {
    326. 

  326.       // This module doesn't enforce TCF1.1 strings
    327. 

  327.       fn.call(this, config);
    328. 

  328.     }
    329. 

  329.   } else {
    330. 

  330.     fn.call(this, config);
    331. 

  331.   }
    332. 

  332. }
    333. 

  333. 

  334. /**
    335. 

  335.  * Compiles the TCF2.0 enforcement results into an object, which is emitted as an event payload to "tcf2Enforcement" event.
    336. 

  336.  */
    337. 

  337. function emitTCF2FinalResults() {
    338. 

  338.   // remove null and duplicate values
    339. 

  339.   const formatArray = function (arr) {
    340. 

  340.     return arr.filter((i, k) => i !== null && arr.indexOf(i) === k);
    341. 

  341.   }
    342. 

  342.   const tcf2FinalResults = {
    343. 

  343.     storageBlocked: formatArray(storageBlocked),
    344. 

  344.     biddersBlocked: formatArray(biddersBlocked),
    345. 

  345.     analyticsBlocked: formatArray(analyticsBlocked)
    346. 

  346.   };
    347. 

  347. 

  348.   events.emit(EVENTS.TCF2_ENFORCEMENT, tcf2FinalResults);
    349. 

  349. }
    350. 

  350. 

  351. events.on(EVENTS.AUCTION_END, emitTCF2FinalResults);
    352. 

  352. 

  353. /*
    354. 

  354.   Set of callback functions used to detect presence of a TCF rule, passed as the second argument to find().
    355. 

  355. */
    356. 

  356. const hasPurpose1 = (rule) => { return rule.purpose === TCF2.purpose1.name }
    357. 

  357. const hasPurpose2 = (rule) => { return rule.purpose === TCF2.purpose2.name }
    358. 

  358. const hasPurpose7 = (rule) => { return rule.purpose === TCF2.purpose7.name }
    359. 

  359. 

  360. /**
    361. 

  361.  * A configuration function that initializes some module variables, as well as adds hooks
    362. 

  362.  * @param {Object} config - GDPR enforcement config object
    363. 

  363.  */
    364. 

  364. export function setEnforcementConfig(config) {
    365. 

  365.   const rules = utils.deepAccess(config, 'gdpr.rules');
    366. 

  366.   if (!rules) {
    367. 

  367.     utils.logWarn('TCF2: enforcing P1 and P2 by default');
    368. 

  368.     enforcementRules = DEFAULT_RULES;
    369. 

  369.   } else {
    370. 

  370.     enforcementRules = rules;
    371. 

  371.   }
    372. 

  372. 

  373.   purpose1Rule = find(enforcementRules, hasPurpose1);
    374. 

  374.   purpose2Rule = find(enforcementRules, hasPurpose2);
    375. 

  375.   purpose7Rule = find(enforcementRules, hasPurpose7);
    376. 

  376. 

  377.   if (!purpose1Rule) {
    378. 

  378.     purpose1Rule = DEFAULT_RULES[0];
    379. 

  379.   }
    380. 

  380. 

  381.   if (!purpose2Rule) {
    382. 

  382.     purpose2Rule = DEFAULT_RULES[1];
    383. 

  383.   }
    384. 

  384. 

  385.   if (purpose1Rule && !addedDeviceAccessHook) {
    386. 

  386.     addedDeviceAccessHook = true;
    387. 

  387.     validateStorageEnforcement.before(deviceAccessHook, 49);
    388. 

  388.     registerSyncInner.before(userSyncHook, 48);
    389. 

  389.     // Using getHook as user id and gdprEnforcement are both optional modules. Using import will auto include the file in build
    390. 

  390.     getHook('validateGdprEnforcement').before(userIdHook, 47);
    391. 

  391.   }
    392. 

  392.   if (purpose2Rule) {
    393. 

  393.     getHook('makeBidRequests').before(makeBidRequestsHook);
    394. 

  394.   }
    395. 

  395. 

  396.   if (purpose7Rule) {
    397. 

  397.     getHook('enableAnalyticsCb').before(enableAnalyticsHook);
    398. 

  398.   }
    399. 

  399. }
    400. 

  400. 

  401. config.getConfig('consentManagement', config => setEnforcementConfig(config.consentManagement));
    402.