prebid · VeronikaSolovei9 · Jul 27, 2023 · Jul 4, 2023 · Jul 6, 2023 · Jul 6, 2023
diff --git a/endpoints/cookie_sync.go b/endpoints/cookie_sync.go
@@ -147,6 +147,13 @@ func (c *cookieSyncEndpoint) parseRequest(r *http.Request) (usersync.Request, pr
 		}
 	}
 
+	activityControl, activitiesErr := privacy.NewActivityControl(account.Privacy)
+	if activitiesErr != nil {
+		if errortypes.ContainsFatalError([]error{activitiesErr}) {
+			return usersync.Request{}, privacy.Policies{}, err
+		}
+	}
+
 	syncTypeFilter, err := parseTypeFilter(request.FilterSettings)
 	if err != nil {
 		return usersync.Request{}, privacy.Policies{}, err
@@ -170,6 +177,7 @@ func (c *cookieSyncEndpoint) parseRequest(r *http.Request) (usersync.Request, pr
 		Privacy: usersyncPrivacy{
 			gdprPermissions:  gdprPerms,
 			ccpaParsedPolicy: ccpaParsedPolicy,
+			activityControl:  activityControl,
 		},
 		SyncTypeFilter: syncTypeFilter,
 	}
@@ -499,6 +507,7 @@ type usersyncPrivacyConfig struct {
 type usersyncPrivacy struct {
 	gdprPermissions  gdpr.Permissions
 	ccpaParsedPolicy ccpa.ParsedPolicy
+	activityControl  privacy.ActivityControl
 }
 
 func (p usersyncPrivacy) GDPRAllowsHostCookie() bool {
@@ -515,3 +524,9 @@ func (p usersyncPrivacy) CCPAAllowsBidderSync(bidder string) bool {
 	enforce := p.ccpaParsedPolicy.CanEnforce() && p.ccpaParsedPolicy.ShouldEnforce(bidder)
 	return !enforce
 }
+
+func (p usersyncPrivacy) ActivityAllowsUserSync(bidder string) privacy.ActivityResult {
+	activityResult := p.activityControl.Allow(privacy.ActivitySyncUser,
+		privacy.ScopedName{Scope: privacy.ScopeTypeBidder, Name: bidder})
+	return activityResult
+}
diff --git a/endpoints/cookie_sync_test.go b/endpoints/cookie_sync_test.go
@@ -498,6 +498,7 @@ func TestCookieSyncParseRequest(t *testing.T) {
 		expectedPrivacy      privacy.Policies
 		expectedRequest      usersync.Request
 	}{
+
 		{
 			description: "Complete Request - includes GPP string with EU TCF V2",
 			givenBody: strings.NewReader(`{` +
@@ -972,6 +973,36 @@ func TestCookieSyncParseRequest(t *testing.T) {
 			expectedError:        errCookieSyncAccountBlocked.Error(),
 			givenAccountRequired: true,
 		},
+
+		{
+			description: "Account Defaults - Invalid activities Activities",
+			givenBody: strings.NewReader(`{` +
+				`"bidders":["a", "b"],` +
+				`"account":"ValidAccountInvalidActivities"` +
+				`}`),
+			givenGDPRConfig:  config.GDPR{Enabled: true, DefaultValue: "0"},
+			givenCCPAEnabled: true,
+			givenConfig: config.UserSync{
+				Cooperative: config.UserSyncCooperative{
+					EnabledByDefault: false,
+					PriorityGroups:   [][]string{{"a", "b", "c"}},
+				},
+			},
+			expectedPrivacy: privacy.Policies{},
+			expectedRequest: usersync.Request{
+				Bidders: []string(nil),
+				Cooperative: usersync.Cooperative{
+					Enabled:        false,
+					PriorityGroups: [][]string(nil),
+				},
+				Limit:   0,
+				Privacy: nil,
+				SyncTypeFilter: usersync.SyncTypeFilter{
+					IFrame:   nil,
+					Redirect: nil,
+				},
+			},
+		},
 	}
 
 	for _, test := range testCases {
@@ -996,8 +1027,9 @@ func TestCookieSyncParseRequest(t *testing.T) {
 				ccpaEnforce:            test.givenCCPAEnabled,
 			},
 			accountsFetcher: FakeAccountsFetcher{AccountData: map[string]json.RawMessage{
-				"TestAccount":     json.RawMessage(`{"cookie_sync": {"default_limit": 20, "max_limit": 30, "default_coop_sync": true}}`),
-				"DisabledAccount": json.RawMessage(`{"disabled":true}`),
+				"TestAccount":                   json.RawMessage(`{"cookie_sync": {"default_limit": 20, "max_limit": 30, "default_coop_sync": true}}`),
+				"DisabledAccount":               json.RawMessage(`{"disabled":true}`),
+				"ValidAccountInvalidActivities": json.RawMessage(`{"privacy":{"allowactivities":{"syncUser":{"rules":[{"condition":{"componentName": ["bidderA.bidderB.bidderC"]}}]}}}}`),
 			}},
 		}
 		assert.NoError(t, endpoint.config.MarshalAccountDefaults())
@@ -1870,6 +1902,41 @@ func TestUsersyncPrivacyCCPAAllowsBidderSync(t *testing.T) {
 	}
 }
 
+func TestActivityDefaultToDefaultResult(t *testing.T) {
+	testCases := []struct {
+		name           string
+		bidderName     string
+		allow          bool
+		expectedResult privacy.ActivityResult
+	}{
+		{
+			name:           "activity_is_allowed",
+			bidderName:     "bidderA",
+			allow:          true,
+			expectedResult: privacy.ActivityAllow,
+		},
+		{
+			name:           "activity_is_denied",
+			bidderName:     "bidderA",
+			allow:          false,
+			expectedResult: privacy.ActivityDeny,
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.name, func(t *testing.T) {
+			privacyConfig := getDefaultActivityConfig(test.bidderName, test.allow)
+			activities, err := privacy.NewActivityControl(privacyConfig)
+			assert.NoError(t, err)
+			up := usersyncPrivacy{
+				activityControl: activities,
+			}
+			actualResult := up.ActivityAllowsUserSync(test.bidderName)
+			assert.Equal(t, test.expectedResult, actualResult)
+		})
+	}
+}
+
 func TestCombineErrors(t *testing.T) {
 	testCases := []struct {
 		description    string
@@ -2030,3 +2097,22 @@ func (p *fakePermissions) AuctionActivitiesAllowed(ctx context.Context, bidderCo
 		AllowBidRequest: true,
 	}, nil
 }
+
+func getDefaultActivityConfig(componentName string, allow bool) *config.AccountPrivacy {
+	return &config.AccountPrivacy{
+		AllowActivities: config.AllowActivities{
+			SyncUser: config.Activity{
+				Default: ptrutil.ToPtr(true),
+				Rules: []config.ActivityRule{
+					{
+						Allow: allow,
+						Condition: config.ActivityCondition{
+							ComponentName: []string{componentName},
+							ComponentType: []string{"bidder"},
+						},
+					},
+				},
+			},
+		},
+	}
+}
diff --git a/endpoints/setuid.go b/endpoints/setuid.go
@@ -3,6 +3,8 @@ package endpoints
 import (
 	"context"
 	"errors"
+	"github.com/prebid/prebid-server/errortypes"
+	"github.com/prebid/prebid-server/privacy"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -56,7 +58,7 @@ func NewSetUIDEndpoint(cfg *config.Configuration, syncersByBidder map[string]use
 
 		query := r.URL.Query()
 
-		syncer, err := getSyncer(query, syncersByKey)
+		syncer, bidderName, err := getSyncer(query, syncersByKey)
 		if err != nil {
 			w.WriteHeader(http.StatusBadRequest)
 			w.Write([]byte(err.Error()))
@@ -101,6 +103,21 @@ func NewSetUIDEndpoint(cfg *config.Configuration, syncersByBidder map[string]use
 			return
 		}
 
+		activities, activitiesErr := privacy.NewActivityControl(account.Privacy)
+		if activitiesErr != nil {
+			if errortypes.ContainsFatalError([]error{activitiesErr}) {
+				w.WriteHeader(http.StatusBadRequest)
+				return
+			}
+		}
+
+		userSyncActivityAllowed := activities.Allow(privacy.ActivitySyncUser,
+			privacy.ScopedName{Scope: privacy.ScopeTypeBidder, Name: bidderName})
+		if userSyncActivityAllowed == privacy.ActivityDeny {
+			w.WriteHeader(http.StatusUnavailableForLegalReasons)
+			return
+		}
+
 		tcf2Cfg := tcf2CfgBuilder(cfg.GDPR.TCF2, account.GDPR)
 
 		if shouldReturn, status, body := preventSyncsGDPR(query.Get("gdpr"), query.Get("gdpr_consent"), gdprPermsBuilder, tcf2Cfg); shouldReturn {
@@ -148,19 +165,19 @@ func NewSetUIDEndpoint(cfg *config.Configuration, syncersByBidder map[string]use
 	})
 }
 
-func getSyncer(query url.Values, syncersByKey map[string]usersync.Syncer) (usersync.Syncer, error) {
-	key := query.Get("bidder")
+func getSyncer(query url.Values, syncersByKey map[string]usersync.Syncer) (usersync.Syncer, string, error) {
+	bidderName := query.Get("bidder")
 
-	if key == "" {
-		return nil, errors.New(`"bidder" query param is required`)
+	if bidderName == "" {
+		return nil, "", errors.New(`"bidder" query param is required`)
 	}
 
-	syncer, syncerExists := syncersByKey[key]
+	syncer, syncerExists := syncersByKey[bidderName]
 	if !syncerExists {
-		return nil, errors.New("The bidder name provided is not supported by Prebid Server")
+		return nil, "", errors.New("The bidder name provided is not supported by Prebid Server")
 	}
 
-	return syncer, nil
+	return syncer, bidderName, nil
 }
 
 // getResponseFormat reads the format query parameter or falls back to the syncer's default.

diff --git a/endpoints/setuid_test.go b/endpoints/setuid_test.go
@@ -254,6 +254,34 @@ func TestSetUIDEndpoint(t *testing.T) {
 			expectedBody:           "account is disabled, please reach out to the prebid server host",
 			description:            "Set uid for valid bidder with valid disabled account provided",
 		},
+		{
+			uri:                    "/setuid?bidder=pubmatic&uid=123&account=valid_acct_with_valid_activities_usersync_enabled",
+			syncersBidderNameToKey: map[string]string{"pubmatic": "pubmatic"},
+			existingSyncs:          nil,
+			gdprAllowsHostCookies:  true,
+			expectedSyncs:          map[string]string{"pubmatic": "123"},
+			expectedStatusCode:     http.StatusOK,
+			expectedHeaders:        map[string]string{"Content-Type": "text/html", "Content-Length": "0"},
+			description:            "Set uid for valid bidder with valid account provided with user sync allowed activity",
+		},
+		{
+			uri:                    "/setuid?bidder=pubmatic&uid=123&account=valid_acct_with_valid_activities_usersync_disabled",
+			syncersBidderNameToKey: map[string]string{"pubmatic": "pubmatic"},
+			existingSyncs:          nil,
+			gdprAllowsHostCookies:  true,
+			expectedSyncs:          nil,
+			expectedStatusCode:     http.StatusUnavailableForLegalReasons,
+			description:            "Set uid for valid bidder with valid account provided with user sync disallowed activity",
+		},
+		{
+			uri:                    "/setuid?bidder=pubmatic&uid=123&account=valid_acct_with_invalid_activities",
+			syncersBidderNameToKey: map[string]string{"pubmatic": "pubmatic"},
+			existingSyncs:          nil,
+			gdprAllowsHostCookies:  true,
+			expectedSyncs:          nil,
+			expectedStatusCode:     http.StatusBadRequest,
+			description:            "Set uid for valid bidder with valid account provided with invalid user sync activity",
+		},
 	}
 
 	analytics := analyticsConf.NewPBSAnalytics(&config.Analytics{})
@@ -740,6 +768,10 @@ func doRequest(req *http.Request, analytics analytics.PBSAnalyticsModule, metric
 		"disabled_acct":     json.RawMessage(`{"disabled":true}`),
 		"malformed_acct":    json.RawMessage(`{"disabled":"malformed"}`),
 		"invalid_json_acct": json.RawMessage(`{"}`),
+
+		"valid_acct_with_valid_activities_usersync_enabled":  json.RawMessage(`{"privacy":{"allowactivities":{"syncUser":{"default": true}}}}`),
+		"valid_acct_with_valid_activities_usersync_disabled": json.RawMessage(`{"privacy":{"allowactivities":{"syncUser":{"default": false}}}}`),
+		"valid_acct_with_invalid_activities":                 json.RawMessage(`{"privacy":{"allowactivities":{"syncUser":{"rules":[{"condition":{"componentName": ["bidderA.bidderB.bidderC"]}}]}}}}`),
 	}}
 
 	endpoint := NewSetUIDEndpoint(&cfg, syncersByBidder, gdprPermsBuilder, tcf2ConfigBuilder, analytics, fakeAccountsFetcher, metrics)

diff --git a/privacy/enforcer.go b/privacy/enforcer.go
@@ -3,7 +3,6 @@ package privacy
 import (
 	"fmt"
 	"github.com/prebid/prebid-server/config"
-	"github.com/prebid/prebid-server/errortypes"
 	"strings"
 )
 
@@ -33,9 +32,6 @@ func NewActivityControl(privacyConf *config.AccountPrivacy) (ActivityControl, er
 
 	if privacyConf == nil {
 		return ac, err
-	} else {
-		//temporarily disable Activities if they are specified at the account level
-		return ac, &errortypes.Warning{Message: "account.Privacy has no effect as the feature is under development."}
 	}
 
 	plans := make(map[Activity]ActivityPlan)

diff --git a/privacy/enforcer_test.go b/privacy/enforcer_test.go
@@ -8,7 +8,7 @@ import (
 	"testing"
 )
 
-func TemporarilyDisabledTestNewActivityControl(t *testing.T) {
+func TestNewActivityControl(t *testing.T) {
 
 	testCases := []struct {
 		name            string

diff --git a/usersync/chooser.go b/usersync/chooser.go
@@ -1,5 +1,9 @@
 package usersync
 
+import (
+	privacyActivity "github.com/prebid/prebid-server/privacy"
+)
+
 // Chooser determines which syncers are eligible for a given request.
 type Chooser interface {
 	// Choose considers bidders to sync, filters the bidders, and returns the result of the
@@ -85,13 +89,17 @@ const (
 
 	// StatusDuplicate specifies the bidder is a duplicate or shared a syncer key with another bidder choice.
 	StatusDuplicate
+
+	// StatusBlockedByPrivacy specifies a bidder sync url is not allowed by privacy activities
+	StatusBlockedByPrivacy
 )
 
 // Privacy determines which privacy policies will be enforced for a user sync request.
 type Privacy interface {
 	GDPRAllowsHostCookie() bool
 	GDPRAllowsBidderSync(bidder string) bool
 	CCPAAllowsBidderSync(bidder string) bool
+	ActivityAllowsUserSync(bidder string) privacyActivity.ActivityResult
 }
 
 // standardChooser implements the user syncer algorithm per official Prebid specification.
@@ -151,6 +159,11 @@ func (c standardChooser) evaluate(bidder string, syncersSeen map[string]struct{}
 		return nil, BidderEvaluation{Status: StatusAlreadySynced, Bidder: bidder, SyncerKey: syncer.Key()}
 	}
 
+	userSyncActivityAllowed := privacy.ActivityAllowsUserSync(bidder)
+	if userSyncActivityAllowed == privacyActivity.ActivityDeny {
+		return nil, BidderEvaluation{Status: StatusBlockedByPrivacy, Bidder: bidder, SyncerKey: syncer.Key()}
+	}
+
 	if !privacy.GDPRAllowsBidderSync(bidder) {
 		return nil, BidderEvaluation{Status: StatusBlockedByGDPR, Bidder: bidder, SyncerKey: syncer.Key()}
 	}

diff --git a/usersync/chooser_test.go b/usersync/chooser_test.go
@@ -1,12 +1,11 @@
 package usersync
 
 import (
-	"testing"
-	"time"
-
 	"github.com/prebid/prebid-server/privacy"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"testing"
+	"time"
 )
 
 func TestNewChooser(t *testing.T) {
@@ -322,6 +321,15 @@ func TestChooserEvaluate(t *testing.T) {
 			expectedSyncer:     nil,
 			expectedEvaluation: BidderEvaluation{Bidder: "a", SyncerKey: "keyA", Status: StatusBlockedByCCPA},
 		},
+		{
+			description:        "Blocked By activity control",
+			givenBidder:        "a",
+			givenSyncersSeen:   map[string]struct{}{},
+			givenPrivacy:       fakePrivacy{gdprAllowsHostCookie: true, gdprAllowsBidderSync: true, ccpaAllowsBidderSync: true, activityAllowUserSync: privacy.ActivityDeny},
+			givenCookie:        cookieNeedsSync,
+			expectedSyncer:     nil,
+			expectedEvaluation: BidderEvaluation{Bidder: "a", SyncerKey: "keyA", Status: StatusBlockedByPrivacy},
+		},
 	}
 
 	for _, test := range testCases {
@@ -373,9 +381,10 @@ func (fakeSyncer) GetSync(syncTypes []SyncType, privacyPolicies privacy.Policies
 }
 
 type fakePrivacy struct {
-	gdprAllowsHostCookie bool
-	gdprAllowsBidderSync bool
-	ccpaAllowsBidderSync bool
+	gdprAllowsHostCookie  bool
+	gdprAllowsBidderSync  bool
+	ccpaAllowsBidderSync  bool
+	activityAllowUserSync privacy.ActivityResult
 }
 
 func (p fakePrivacy) GDPRAllowsHostCookie() bool {
@@ -389,3 +398,7 @@ func (p fakePrivacy) GDPRAllowsBidderSync(bidder string) bool {
 func (p fakePrivacy) CCPAAllowsBidderSync(bidder string) bool {
 	return p.ccpaAllowsBidderSync
 }
+
+func (p fakePrivacy) ActivityAllowsUserSync(bidder string) privacy.ActivityResult {
+	return p.activityAllowUserSync
+}