feat(banner): Consent-Historie/Widerruf live erkennen (Borlabs-Stil, #62)

consent_history.detect_consent_history: erkennt CMP-Anbieter (Borlabs/ Usercentrics/OneTrust/Cookiebot/…) aus Storage+Cookies, versionierten Consent (historie-fähig) + dauerhaftes Widerruf-/Einstellungs-Widget. consent_scanner ruft es in Phase A; scan_matrix_summary surft summary.consent_history; browser_cross_finding: positiver Befund wenn vorhanden, sonst Best-Practice-LOW („Nutzer sehen, wann sie welcher Version zugestimmt haben"); BrowserBehaviorView zeigt es im Engine-Detail. Tests: 7 (classify/versioned) + 2 Cross-Finding. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-13 16:38:38 +02:00
parent 8d0da710d5
commit d92dd3b5fc
7 changed files with 208 additions and 4 deletions
@@ -0,0 +1,95 @@
+"""Consent-Historie-/Widerruf-Erkennung (Borlabs-Stil) während des Scans.
+
+Erkennt, ob die Site ihre Einwilligung versioniert speichert (Borlabs hält die
+zugestimmte Version + Zeitstempel → Nutzer kann nachvollziehen, welcher Version
+er wann zugestimmt hat) und ob ein dauerhaftes Widerruf-/„Cookie-Einstellungen"-
+Widget angeboten wird. Reine Klassifikation (`classify_provider`) ist ohne
+Browser unit-testbar; `detect_consent_history` kapselt das Playwright-IO.
+"""
+
+from __future__ import annotations
+
+from typing import Any, Optional
+
+# Signatur-Fragmente in Storage-Keys/Cookie-Namen → CMP-Anbieter.
+_PROVIDERS = [
+    ("Borlabs", ["borlabs-cookie", "borlabscookie", "borlabs"]),
+    ("Usercentrics", ["uc_settings", "uc_user_interaction", "usercentrics"]),
+    ("OneTrust", ["optanonconsent", "optanonalertbox", "onetrust"]),
+    ("Cookiebot", ["cookieconsent", "cookiebot"]),
+    ("Complianz", ["cmplz_", "complianz"]),
+    ("Cookie-Script", ["cookiescriptconsent"]),
+]
+
+# Wer trägt von Haus aus eine versionierte Consent-Historie (Capability).
+_HISTORY_CAPABLE = {"Borlabs", "Usercentrics", "OneTrust", "Cookiebot"}
+
+# Selektoren für ein dauerhaftes Widerruf-/Einstellungs-Widget.
+_WITHDRAW_SELECTOR = (
+    'a:has-text("Cookie-Einstellungen"), button:has-text("Cookie-Einstellungen"), '
+    'a:has-text("Einwilligung"), button:has-text("Einwilligung"), '
+    'a:has-text("Cookie Settings"), button:has-text("Cookie Settings"), '
+    'a:has-text("Consent"), button:has-text("Consent"), '
+    '[id*="borlabs-cookie"], [class*="borlabs-cookie"], #BorlabsCookieBox, '
+    '[class*="cookie-preference"], [class*="cmplz-manage"]'
+)
+
+
+def classify_provider(names: list[str]) -> str:
+    """Storage-Keys + Cookie-Namen → CMP-Anbieter ('' wenn unbekannt). Pur."""
+    blob = " ".join(n.lower() for n in names if n)
+    for provider, sigs in _PROVIDERS:
+        if any(s in blob for s in sigs):
+            return provider
+    return ""
+
+
+def _is_versioned(provider: str, stored_value: Optional[str]) -> bool:
+    """True, wenn der gespeicherte Consent eine Version/Consent-Liste trägt
+    (Indiz für nachvollziehbare Historie)."""
+    if not stored_value:
+        return provider in _HISTORY_CAPABLE  # Capability auch ohne Wert
+    low = stored_value.lower()
+    return any(t in low for t in ("version", "consents", "timestamp", "consentid"))
+
+
+async def detect_consent_history(page: Any) -> dict:
+    """Liest Storage/Cookies + DOM und liefert:
+    {provider, stored, versioned_consent, history_capable, withdraw_ui}."""
+    keys: list[str] = []
+    try:
+        keys = await page.evaluate("() => Object.keys(window.localStorage || {})")
+    except Exception:
+        keys = []
+    cookie_names: list[str] = []
+    try:
+        cookie_names = [c.get("name", "") for c in await page.context.cookies()]
+    except Exception:
+        cookie_names = []
+
+    provider = classify_provider(list(keys) + cookie_names)
+
+    stored_value = None
+    if provider == "Borlabs":
+        try:
+            stored_value = await page.evaluate(
+                "() => localStorage.getItem('borlabs-cookie') || "
+                "localStorage.getItem('BorlabsCookie')")
+        except Exception:
+            stored_value = None
+
+    versioned = _is_versioned(provider, stored_value)
+
+    withdraw = False
+    try:
+        withdraw = await page.locator(_WITHDRAW_SELECTOR).count() > 0
+    except Exception:
+        withdraw = False
+
+    return {
+        "provider": provider,
+        "stored": bool(provider),
+        "versioned_consent": versioned,
+        "history_capable": versioned or provider in _HISTORY_CAPABLE,
+        "withdraw_ui": withdraw,
+    }
@@ -81,6 +81,9 @@ class ConsentTestResult:
    # Backend embedded das als <img> in der Mail — visueller Beweis
    # "so sah das Banner zum Audit-Zeitpunkt aus".
    banner_screenshot_b64: str = ""
+    # #62: Consent-Historie/Widerruf (Borlabs-Stil) — Provider, versionierter
+    # Consent (historie-fähig), dauerhaftes Widerruf-Widget.
+    consent_history: dict = field(default_factory=dict)


 def _apply_edge_case_findings(result, url: str = "") -> None:
@@ -274,6 +277,13 @@ async def run_consent_test(
                except Exception as _se:
                    logger.warning("P85: banner screenshot failed: %s", _se)

+            # #62: Consent-Historie/Widerruf (Borlabs-Stil) erkennen.
+            try:
+                from services.consent_history import detect_consent_history
+                result.consent_history = await detect_consent_history(page_a)
+            except Exception as _che:
+                logger.warning("consent-history detection failed: %s", _che)
+
            await ctx_a.close()

            if not banner.detected:
@@ -63,6 +63,8 @@ def matrix_scan_dict(result: Any) -> dict:
                getattr(result, "banner_has_dse_link", False)),
            "banner_text_issues": len(banner_text_violations),
        },
+        # #62: Consent-Historie/Widerruf (Borlabs-Stil).
+        "consent_history": getattr(result, "consent_history", {}) or {},
        # Oberflächen-Befunde je Engine (die 20 Banner-Checks: Button-Prominenz,
        # Toggle-Vorauswahl, Einleitungstext/Links …) — Text + Severity +
        # Norm-Bezug. Aggregierte Maßnahmen folgen im Cross-Finding.
@@ -0,0 +1,35 @@
+"""Consent-Historie-Erkennung (#62) — pure Klassifikation."""
+
+from services.consent_history import classify_provider, _is_versioned
+
+
+def test_classify_borlabs():
+    assert classify_provider(["borlabs-cookie", "PHPSESSID"]) == "Borlabs"
+
+
+def test_classify_onetrust():
+    assert classify_provider(["OptanonConsent", "foo"]) == "OneTrust"
+
+
+def test_classify_cookiebot():
+    assert classify_provider(["CookieConsent"]) == "Cookiebot"
+
+
+def test_classify_unknown_empty():
+    assert classify_provider(["sessionid", "csrftoken"]) == ""
+    assert classify_provider([]) == ""
+
+
+def test_versioned_from_stored_value():
+    assert _is_versioned("Borlabs", '{"version":3,"consents":{}}') is True
+    assert _is_versioned("Borlabs", '{"timestamp":123}') is True
+
+
+def test_versioned_capability_without_value():
+    # Borlabs ist historie-fähig auch ohne ausgelesenen Wert.
+    assert _is_versioned("Borlabs", None) is True
+
+
+def test_not_versioned_unknown_provider():
+    assert _is_versioned("", None) is False
+    assert _is_versioned("", "irgendwas") is False