microsoft · maxgolov · Jun 6, 2023 · Jun 13, 2023 · Jan 18, 2024 · Jun 10, 2026
@@ -29,6 +29,9 @@ public enum LogConfigurationKey {
   /** Enable network detector. */
   CFG_BOOL_ENABLE_NET_DETECT("enableNetworkDetector", Boolean.class),
 
+  /** Scrub (obfuscate) the client IP address at the collector. Applied unless explicitly set to false (on by default; not present in the default configuration). */
+  CFG_BOOL_ENABLE_IP_SCRUBBING("enableIpScrubbing", Boolean.class),
+
   CFG_BOOL_TPM_CLOCK_SKEW_ENABLED("clockSkewEnabled", Boolean.class),
 
   /** Parameter that allows to check if the SDK is running on UTC mode */

@@ -6,6 +6,8 @@
 #define EVENTPROPERTIESDECORATOR_HPP
 
 #include "IDecorator.hpp"
+#include "ILogManager.hpp"
+#include "RecordFlagConstants.hpp"
 #include "EventProperties.hpp"
 #include "CorrelationVector.hpp"
 #include "utils/Utils.hpp"
@@ -16,15 +18,6 @@
 
 namespace MAT_NS_BEGIN {
 
-// Bit remapping has to happen on bits passed via API surface.
-// Ref CS2.1+ : https://osgwiki.com/wiki/CommonSchema/flags
-// #define MICROSOFT_EVENTTAG_MARK_PII 0x08000000
-#define RECORD_FLAGS_EVENTTAG_MARK_PII 0x00080000
-// #define MICROSOFT_EVENTTAG_HASH_PII 0x04000000
-#define RECORD_FLAGS_EVENTTAG_HASH_PII 0x00100000
-// #define MICROSOFT_EVENTTAG_DROP_PII 0x02000000
-#define RECORD_FLAGS_EVENTTAG_DROP_PII 0x00200000
-
     class EventPropertiesDecorator : public IDecorator
     {
     protected:
@@ -125,6 +118,14 @@ namespace MAT_NS_BEGIN {
             int64_t tags = eventProperties.GetPolicyBitFlags();
             int64_t flags = 0;
 
+            // Scrub/obfuscate the client IP address at the collector by default.
+            // Hosts that require the client IP (e.g. for geo-location enrichment)
+            // can opt out by setting CFG_BOOL_ENABLE_IP_SCRUBBING = false.
+            ILogConfiguration& config = m_owner.GetLogConfiguration();
+            if (!config.HasConfig(CFG_BOOL_ENABLE_IP_SCRUBBING) || config[CFG_BOOL_ENABLE_IP_SCRUBBING])
+            {
+                flags |= RECORD_FLAGS_EVENTTAG_SCRUB_IP;
+            }
             // We must remap from one bitfield set to another, no way to bit-shift :(
             // At the moment 1DS SDK in direct upload mode supports DROP and MARK tags only:
             flags |= (tags & MICROSOFT_EVENTTAG_MARK_PII) ? RECORD_FLAGS_EVENTTAG_MARK_PII : 0;

@@ -0,0 +1,30 @@
+//
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+//
+#ifndef RECORDFLAGCONSTANTS_HPP
+#define RECORDFLAGCONSTANTS_HPP
+
+#include "ctmacros.hpp"
+
+#include <cstdint>
+
+namespace MAT_NS_BEGIN {
+
+    // On-wire CS protocol record.flags bits. These are distinct from the
+    // API-surface MICROSOFT_EVENTTAG_* policy flags and are remapped onto
+    // record.flags by EventPropertiesDecorator. Kept in a dedicated header so
+    // other components (e.g. the stats pipeline) can reference a single bit
+    // definition without depending on the decorator's inline implementation.
+    // Ref CS2.1+: https://osgwiki.com/wiki/CommonSchema/flags
+    // (API-surface MICROSOFT_EVENTTAG_MARK_PII 0x08000000)
+    static constexpr std::int64_t RECORD_FLAGS_EVENTTAG_MARK_PII = 0x00080000;
+    // (API-surface MICROSOFT_EVENTTAG_HASH_PII 0x04000000)
+    static constexpr std::int64_t RECORD_FLAGS_EVENTTAG_HASH_PII = 0x00100000;
+    // (API-surface MICROSOFT_EVENTTAG_DROP_PII 0x02000000)
+    static constexpr std::int64_t RECORD_FLAGS_EVENTTAG_DROP_PII = 0x00200000;
+    static constexpr std::int64_t RECORD_FLAGS_EVENTTAG_SCRUB_IP = 0x00400000;
+
+} MAT_NS_END
+
+#endif // RECORDFLAGCONSTANTS_HPP
@@ -104,6 +104,16 @@ namespace MAT_NS_BEGIN
     /// </summary>
     static constexpr const char* const CFG_BOOL_ENABLE_NET_DETECT = "enableNetworkDetector";
 
+    /// <summary>
+    /// Request collector-side scrubbing (obfuscation) of the client IP address.
+    /// Applied unless explicitly set to false (on by default; the key is not
+    /// present in the default configuration). Opt out when the client IP is
+    /// needed, e.g. for geo-location enrichment. Honored by the OneCollector
+    /// direct-upload path; in UTC mode client privacy is governed by the OS UTC
+    /// pipeline instead.
+    /// </summary>
+    static constexpr const char* const CFG_BOOL_ENABLE_IP_SCRUBBING = "enableIpScrubbing";
+
     /// <summary>
     /// Parameter that allows to check if the SDK is running on UTC mode
     /// </summary>

@@ -9,6 +9,7 @@
 #include "ILogManager.hpp"
 #include "mat/config.h"
 #include "utils/Utils.hpp"
+#include "decorators/RecordFlagConstants.hpp"
 #include <oacr.h>
 
 namespace MAT_NS_BEGIN {
@@ -83,6 +84,13 @@ namespace MAT_NS_BEGIN {
             result &= m_baseDecorator.decorate(record);
             // Allow stats to capture Part A common properties, but not the custom
             result &= m_semanticContextDecorator.decorate(record, true);
+            // Stats events bypass EventPropertiesDecorator, so apply the same
+            // collector-side client-IP scrub here (on by default; opt out via
+            // CFG_BOOL_ENABLE_IP_SCRUBBING = false).
+            if (!m_config.HasConfig(CFG_BOOL_ENABLE_IP_SCRUBBING) || m_config[CFG_BOOL_ENABLE_IP_SCRUBBING])
+            {
+                record.flags |= RECORD_FLAGS_EVENTTAG_SCRUB_IP;
+            }
             if (result)
             {
                 IncomingEventContext evt(PAL::generateUuidString(), tenantToken, EventLatency_Normal, EventPersistence_Normal, &record);

@@ -28,6 +28,19 @@ class TestEventPropertiesDecorator : public EventPropertiesDecorator
     }
 };
 
+// NullLogManager hands out a single shared static ILogConfiguration, which would
+// leak configuration across tests. This subclass owns a per-instance configuration
+// so the IP-scrubbing opt-out can be exercised in isolation.
+class ConfigurableLogManager : public NullLogManager
+{
+public:
+    ILogConfiguration localConfig;
+    ILogConfiguration& GetLogConfiguration() override
+    {
+        return localConfig;
+    }
+};
+
 static std::unique_ptr<Record> PopulateRecordForDropPii()
 {
     auto record = std::unique_ptr<Record>(new Record{});
@@ -545,3 +558,41 @@ TEST(EventPropertiesDecoratorTests, DropPiiPartA_StripsValues)
     EXPECT_THAT(record->extSdk[0].installId, Eq(""));
     EXPECT_THAT(record->cV, Eq(""));
 }
+
+TEST(EventPropertiesDecoratorTests, Decorate_ScrubIp_EnabledByDefault)
+{
+    ConfigurableLogManager logManager;  // CFG_BOOL_ENABLE_IP_SCRUBBING not set
+    EventPropertiesDecorator decorator(logManager);
+    Record record;
+    EventProperties props {"TestEvent"};
+    EventLatency latency = EventLatency::EventLatency_Normal;
+
+    EXPECT_TRUE(decorator.decorate(record, latency, props));
+    EXPECT_TRUE(record.flags & RECORD_FLAGS_EVENTTAG_SCRUB_IP);
+}
+
+TEST(EventPropertiesDecoratorTests, Decorate_ScrubIp_OptOutViaConfig)
+{
+    ConfigurableLogManager logManager;
+    logManager.localConfig[CFG_BOOL_ENABLE_IP_SCRUBBING] = false;
+    EventPropertiesDecorator decorator(logManager);
+    Record record;
+    EventProperties props {"TestEvent"};
+    EventLatency latency = EventLatency::EventLatency_Normal;
+
+    EXPECT_TRUE(decorator.decorate(record, latency, props));
+    EXPECT_FALSE(record.flags & RECORD_FLAGS_EVENTTAG_SCRUB_IP);
+}
+
+TEST(EventPropertiesDecoratorTests, Decorate_ScrubIp_ExplicitlyEnabled)
+{
+    ConfigurableLogManager logManager;
+    logManager.localConfig[CFG_BOOL_ENABLE_IP_SCRUBBING] = true;
+    EventPropertiesDecorator decorator(logManager);
+    Record record;
+    EventProperties props {"TestEvent"};
+    EventLatency latency = EventLatency::EventLatency_Normal;
+
+    EXPECT_TRUE(decorator.decorate(record, latency, props));
+    EXPECT_TRUE(record.flags & RECORD_FLAGS_EVENTTAG_SCRUB_IP);
+}
@@ -44,6 +44,11 @@ extern NSString * _Nonnull const ODWCFG_BOOL_ENABLE_WAL_JOURNAL;
 */
 extern NSString * _Nonnull const ODWCFG_BOOL_ENABLE_NET_DETECT;
 
+/*!
+ Scrub (obfuscate) the client IP address at the collector. Applied unless explicitly set to false (on by default; not present in the default configuration).
+*/
+extern NSString * _Nonnull const ODWCFG_BOOL_ENABLE_IP_SCRUBBING;
+
 /*!
  The event collection URI.
 */

@@ -50,6 +50,11 @@
 */
 NSString *const ODWCFG_BOOL_ENABLE_NET_DETECT = @"enableNetworkDetector";
 
+/*!
+ Scrub (obfuscate) the client IP address at the collector. Applied unless explicitly set to false (on by default; not present in the default configuration).
+*/
+NSString *const ODWCFG_BOOL_ENABLE_IP_SCRUBBING = @"enableIpScrubbing";
+
 /*!
  The event collection URI.
 */