breakpilot-compliance/consent-tester/tests/test_cookieless_optout.py

"""Cookieless Opt-out-Erkennung im banner_text_checker.

Sehr untypischer Sonderfall: cookie-FREIE Analyse mit reinem Opt-out-Hinweis
statt Consent-Banner (z.B. bayshore.ai). Standard-Opt-in-Checks duerfen dann
NICHT feuern (sonst False Positives).
"""

from services.banner_text_checker import (
    is_cookieless_optout,
    detect_non_cookie_tracking,
    build_no_banner_finding,
    detect_consent_or_pay,
    detect_cname_cloaking,
)


def test_bayshore_cookieless_optout_detected():
    # Realer bayshore.ai-Bannertext (Opt-out fuer cookie-freie Analyse).
    bay = ("privacy-friendly, cookie-free analytics are currently enabled. "
           "you can change your choice at any time. disable")
    assert is_cookieless_optout(bay) is True


def test_standard_consent_banner_not_cookieless():
    assert not is_cookieless_optout(
        "wir nutzen cookies. alle akzeptieren  ablehnen  einstellungen")


def test_cookiefree_but_with_accept_is_not_optout():
    # 'cookie-free' genannt, aber echtes Consent ('accept all') → kein reiner Opt-out.
    assert not is_cookieless_optout("cookie-free analytics. accept all  disable")


def test_signal_without_optout_word_is_not_detected():
    # cookie-free, aber kein Opt-out-Mechanismus im Text.
    assert not is_cookieless_optout("cookie-free analytics enabled")


def test_empty():
    assert not is_cookieless_optout("")


# ── #3: Non-Cookie-Tracking-Erkennung ──────────────────────────────────
def test_detect_meta_pixel():
    assert detect_non_cookie_tracking(
        ["https://connect.facebook.net/en_US/fbevents.js"]) == ["Meta-Pixel (Facebook)"]


def test_detect_clarity_and_fingerprint():
    found = detect_non_cookie_tracking([
        "https://www.clarity.ms/tag/abc", "https://cdn.fpjs.io/v3/x.js"])
    assert "Microsoft Clarity" in found
    assert "Fingerprinting (FingerprintJS)" in found


def test_detect_none_on_plain_scripts():
    assert detect_non_cookie_tracking(
        ["https://example.com/app.js", "/static/main.css"]) == []
    assert detect_non_cookie_tracking([]) == []


# ── #1/#2: Kein-Banner-affirmativ-Befund ───────────────────────────────
def test_no_banner_finding_is_low_and_compliant():
    v = build_no_banner_finding(has_dse=True)
    assert v.severity == "LOW"
    assert "konform" in v.text.lower()
    assert "geo-targeting" in v.text.lower()  # Geo-Caveat enthalten


def test_no_banner_finding_flags_missing_dse():
    v = build_no_banner_finding(has_dse=False)
    assert "dse" in v.text.lower() or "datenschutzerkl" in v.text.lower()


# ── #4: Consent-or-Pay ─────────────────────────────────────────────────
def test_consent_or_pay_detected():
    assert detect_consent_or_pay(
        "akzeptieren oder pur-abo abschliessen. cookies & werbung") is True


def test_consent_or_pay_not_on_standard_banner():
    assert not detect_consent_or_pay("alle akzeptieren  ablehnen  einstellungen cookies")


def test_consent_or_pay_needs_consent_context():
    # 'Abo' ohne Consent-Kontext (z.B. normale Paywall) ist kein Consent-or-Pay.
    assert not detect_consent_or_pay("jetzt abonnieren fuer 5 pro monat")


# ── #6: CNAME-Cloaking (nur DNS-freie Faelle) ──────────────────────────
def test_cname_cloaking_empty_and_no_subdomain():
    assert detect_cname_cloaking([], "example.com") == []
    assert detect_cname_cloaking(["https://example.com/app.js"], "") == []
    # Script auf der Hauptdomain (keine Subdomain) → kein Lookup → []
    assert detect_cname_cloaking(["https://example.com/app.js"], "example.com") == []