diff --git a/google-cloud-storage/acceptance/storage/bucket_encryption_test.rb b/google-cloud-storage/acceptance/storage/bucket_encryption_test.rb index 7760e2107ed8..5fdc1729a7ca 100644 --- a/google-cloud-storage/acceptance/storage/bucket_encryption_test.rb +++ b/google-cloud-storage/acceptance/storage/bucket_encryption_test.rb @@ -31,14 +31,14 @@ b end - before do + before(:all) do # always create the bucket - bucket + @bucket = bucket end - after do - bucket.files.all &:delete - safe_gcs_execute { bucket.delete } + after(:all) do + @bucket.files.all &:delete + safe_gcs_execute { @bucket.delete } end let(:files) do @@ -48,27 +48,92 @@ describe "KMS customer-managed encryption key (CMEK)" do it "knows its encryption configuration" do - _(bucket.default_kms_key).wont_be :nil? - _(bucket.default_kms_key).must_equal kms_key - bucket.reload! - _(bucket.default_kms_key).wont_be :nil? - _(bucket.default_kms_key).must_equal kms_key + _(@bucket.default_kms_key).wont_be :nil? + _(@bucket.default_kms_key).must_equal kms_key + @bucket.reload! + _(@bucket.default_kms_key).wont_be :nil? + _(@bucket.default_kms_key).must_equal kms_key end it "can update its default kms key to another key" do - _(bucket.default_kms_key).must_equal kms_key - bucket.default_kms_key = kms_key_2 - _(bucket.default_kms_key).must_equal kms_key_2 - bucket.reload! - _(bucket.default_kms_key).must_equal kms_key_2 + _(@bucket.default_kms_key).must_equal kms_key + @bucket.default_kms_key = kms_key_2 + _(@bucket.default_kms_key).must_equal kms_key_2 + @bucket.reload! + _(@bucket.default_kms_key).must_equal kms_key_2 end it "can remove its default kms key by setting encryption to nil" do - _(bucket.default_kms_key).must_equal kms_key - bucket.default_kms_key = nil - _(bucket.default_kms_key).must_be :nil? - bucket.reload! - _(bucket.default_kms_key).must_be :nil? + _(@bucket.default_kms_key).must_equal kms_key + @bucket.default_kms_key = nil + _(@bucket.default_kms_key).must_be :nil? + @bucket.reload! + _(@bucket.default_kms_key).must_be :nil? + end + end + + describe "bucket encryption enforcement config" do + customer_supplied_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + customer_managed_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + google_managed_config = Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + + it "gets, sets and clears customer supplied encryption enforcement config" do + # set customer supplied encryption enforcement config to bucket + @bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config + @bucket.reload! + # get customer supplied encryption enforcement config from bucket and verify its values + _(@bucket.customer_supplied_encryption_enforcement_config).wont_be_nil + _(@bucket.customer_supplied_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" + # clear customer supplied encryption enforcement config from bucket + @bucket.customer_supplied_encryption_enforcement_config = nil + @bucket.reload! + _(@bucket.customer_supplied_encryption_enforcement_config).must_be_nil + end + + it "gets, sets and clears customer managed encryption enforcement config" do + # set customer managed encryption enforcement config to bucket + @bucket.customer_managed_encryption_enforcement_config = customer_managed_config + @bucket.reload! + # get customer managed encryption enforcement config from bucket and verify its values + _(@bucket.customer_managed_encryption_enforcement_config).wont_be_nil + _(@bucket.customer_managed_encryption_enforcement_config.restriction_mode).must_equal "NotRestricted" + # clear customer managed encryption enforcement config from bucket + @bucket.customer_managed_encryption_enforcement_config = nil + @bucket.reload! + _(@bucket.customer_managed_encryption_enforcement_config).must_be_nil + end + + it "gets, sets and clears google managed encryption enforcement config" do + # set google managed encryption enforcement config to bucket + @bucket.google_managed_encryption_enforcement_config = google_managed_config + @bucket.reload! + # get google managed encryption enforcement config from bucket and verify its values + _(@bucket.google_managed_encryption_enforcement_config).wont_be_nil + _(@bucket.google_managed_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" + # clear google managed encryption enforcement config from bucket + @bucket.google_managed_encryption_enforcement_config = nil + @bucket.reload! + _(@bucket.google_managed_encryption_enforcement_config).must_be_nil + end + + it "raises error when setting invalid encryption enforcement config" do + customer_supplied_config1 = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "test" + expect {@bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config1}.must_raise Google::Cloud::InvalidArgumentError + end + + it "setting and clearing encryption enforcement config does not affect bucket's default kms key" do + # set default kms key to bucket + @bucket.google_managed_encryption_enforcement_config = google_managed_config + @bucket.reload! + # verify default kms key is set + _(@bucket.default_kms_key).must_equal kms_key + # clear encryption enforcement config + @bucket.customer_supplied_encryption_enforcement_config = nil + @bucket.customer_managed_encryption_enforcement_config = nil + @bucket.google_managed_encryption_enforcement_config = nil + @bucket.reload! + # verify default kms key is still set + _(@bucket.default_kms_key).must_equal kms_key end end end diff --git a/google-cloud-storage/lib/google/cloud/storage/bucket.rb b/google-cloud-storage/lib/google/cloud/storage/bucket.rb index ca8461354bb7..17e6bae808f7 100644 --- a/google-cloud-storage/lib/google/cloud/storage/bucket.rb +++ b/google-cloud-storage/lib/google/cloud/storage/bucket.rb @@ -717,6 +717,121 @@ def default_kms_key= new_default_kms_key patch_gapi! :encryption end + # The bucket's encryption configuration for customer-managed encryption keys. + # This configuration defines the + # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket. + # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/). + # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] The bucket's encryption configuration, or `nil` if no encryption configuration has been set. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new + # restriction_mode: "NotRestricted" + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted" + + def customer_managed_encryption_enforcement_config + @gapi.encryption&.customer_managed_encryption_enforcement_config + end + + # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files. + # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] new_customer_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + # bucket.customer_managed_encryption_enforcement_config = new_config + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted" + + def customer_managed_encryption_enforcement_config= new_customer_managed_encryption_enforcement_config + @gapi.encryption ||= API::Bucket::Encryption.new + @gapi.encryption.customer_managed_encryption_enforcement_config = + new_customer_managed_encryption_enforcement_config + patch_gapi! :encryption + end + + ## + # The bucket's encryption configuration for customer-supplied encryption keys. This configuration defines the + # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements + # for the bucket. + # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/). + # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] + # The bucket's encryption configuration, or `nil` if no encryption configuration has been set. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # bucket.customer_supplied_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new + # restriction_mode: "NotRestricted" + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted". + + def customer_supplied_encryption_enforcement_config + @gapi.encryption&.customer_supplied_encryption_enforcement_config + end + + ## + # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files. + # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] new_customer_supplied_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + # bucket.customer_supplied_encryption_enforcement_config = new_config + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted" + + def customer_supplied_encryption_enforcement_config= new_customer_supplied_encryption_enforcement_config + @gapi.encryption ||= API::Bucket::Encryption.new + @gapi.encryption.customer_supplied_encryption_enforcement_config = + new_customer_supplied_encryption_enforcement_config + patch_gapi! :encryption + end + + ## + # The bucket's encryption configuration for google-managed encryption keys. + # This configuration defines the + # default encryption behavior for the bucket and its files, and it can be used to enforce encryption + # requirements for the bucket. + # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/). + # @return [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil] + # The bucket's encryption configuration, or `nil` if no encryption configuration has been set. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # bucket.google_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new + # restriction_mode: "NotRestricted" + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted". + + def google_managed_encryption_enforcement_config + @gapi.encryption&.google_managed_encryption_enforcement_config + end + + ## + # Sets the bucket's encryption configuration for google-managed encryption that will be used to protect files. + # @param [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil] new_google_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + # bucket.google_managed_encryption_enforcement_config = new_config + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted" + + def google_managed_encryption_enforcement_config= new_google_managed_encryption_enforcement_config + @gapi.encryption ||= API::Bucket::Encryption.new + @gapi.encryption.google_managed_encryption_enforcement_config = + new_google_managed_encryption_enforcement_config + patch_gapi! :encryption + end + ## # The period of time (in seconds) that files in the bucket must be # retained, and cannot be deleted, overwritten, or archived. diff --git a/google-cloud-storage/samples/acceptance/buckets_test.rb b/google-cloud-storage/samples/acceptance/buckets_test.rb index bb78ba9bbe44..e30b0cfb79d3 100644 --- a/google-cloud-storage/samples/acceptance/buckets_test.rb +++ b/google-cloud-storage/samples/acceptance/buckets_test.rb @@ -37,6 +37,7 @@ require_relative "../storage_get_bucket_class_and_location" require_relative "../storage_get_bucket_metadata" require_relative "../storage_get_default_event_based_hold" +require_relative "../storage_get_encryption_enforcement_config" require_relative "../storage_get_public_access_prevention" require_relative "../storage_get_requester_pays_status" require_relative "../storage_get_retention_policy" @@ -48,6 +49,8 @@ require_relative "../storage_remove_cors_configuration" require_relative "../storage_remove_retention_policy" require_relative "../storage_set_bucket_default_kms_key" +require_relative "../storage_set_encryption_enforcement_config" +require_relative "../storage_remove_all_encryption_enforcement_config" require_relative "../storage_set_object_retention_policy" require_relative "../storage_set_public_access_prevention_enforced" require_relative "../storage_set_public_access_prevention_inherited" @@ -169,6 +172,44 @@ end end + describe "storage_encryption_enforcement_config" do + bucket_name = random_bucket_name + + it "gets, sets and clears bucket encryption enforcement config" do + # creates bucket with encryption enforcement config + expected = "Created bucket #{bucket_name} with Encryption Enforcement Config.\n" + + retry_resource_exhaustion do + assert_output expected do + set_encryption_enforcement_config bucket_name: bucket_name + end + end + + # get encryption enforcement config + expected = "Encryption Enforcement Config for bucket #{bucket_name}:\n" \ + "Customer-managed encryption enforcement config restriction mode: NotRestricted\n" \ + "Customer-supplied encryption enforcement config restriction mode: FullyRestricted\n" \ + "Google-managed encryption enforcement config restriction mode: FullyRestricted\n" + retry_resource_exhaustion do + assert_output expected do + get_encryption_enforcement_config bucket_name: bucket_name + end + end + + # clears encryption enforcement config + expected = "Removed Encryption Enforcement Config from bucket #{bucket_name}.\n" + + retry_resource_exhaustion do + assert_output expected do + remove_all_encryption_enforcement_config bucket_name: bucket_name + end + end + + refute_nil storage_client.bucket bucket_name + end + delete_bucket_helper bucket_name + end + describe "storage_create_bucket_with_object_retention" do it "creates a bucket with object retention enabled." do bucket_name = random_bucket_name diff --git a/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb b/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb new file mode 100644 index 000000000000..652610cc4553 --- /dev/null +++ b/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb @@ -0,0 +1,36 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# [START storage_get_encryption_enforcement_config] +def get_encryption_enforcement_config bucket_name: + # The ID to give your GCS bucket + # bucket_name = "your-unique-bucket-name" + + require "google/cloud/storage" + + storage = Google::Cloud::Storage.new + bucket = storage.bucket bucket_name + puts "Encryption Enforcement Config for bucket #{bucket.name}:" + puts "Customer-managed encryption enforcement config restriction mode: " \ + "#{bucket.customer_managed_encryption_enforcement_config&.restriction_mode}" + puts "Customer-supplied encryption enforcement config restriction mode: " \ + "#{bucket.customer_supplied_encryption_enforcement_config&.restriction_mode}" + puts "Google-managed encryption enforcement config restriction mode: " \ + "#{bucket.google_managed_encryption_enforcement_config&.restriction_mode}" +end +# [END storage_get_encryption_enforcement_config] + +if $PROGRAM_NAME == __FILE__ + get_encryption_enforcement_config bucket_name: ARGV.shift +end diff --git a/google-cloud-storage/samples/storage_remove_all_encryption_enforcement_config.rb b/google-cloud-storage/samples/storage_remove_all_encryption_enforcement_config.rb new file mode 100644 index 000000000000..781e86c48451 --- /dev/null +++ b/google-cloud-storage/samples/storage_remove_all_encryption_enforcement_config.rb @@ -0,0 +1,34 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# [START storage_remove_all_encryption_enforcement_config] +def remove_all_encryption_enforcement_config bucket_name: + # The ID to give your GCS bucket + # bucket_name = "your-unique-bucket-name" + + require "google/cloud/storage" + + storage = Google::Cloud::Storage.new + bucket = storage.bucket bucket_name do |b| + b.customer_managed_encryption_enforcement_config = nil + b.customer_supplied_encryption_enforcement_config = nil + b.google_managed_encryption_enforcement_config = nil + end + puts "Removed Encryption Enforcement Config from bucket #{bucket.name}." +end +# [END storage_remove_all_encryption_enforcement_config] + +if $PROGRAM_NAME == __FILE__ + remove_all_encryption_enforcement_config bucket_name: ARGV.shift +end diff --git a/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb b/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb new file mode 100644 index 000000000000..391f67e7af4b --- /dev/null +++ b/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb @@ -0,0 +1,48 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# [START storage_set_encryption_enforcement_config] +def set_encryption_enforcement_config bucket_name: + # The ID to give your GCS bucket + # bucket_name = "your-unique-bucket-name" + + require "google/cloud/storage" + + storage = Google::Cloud::Storage.new + + customer_managed_config = + Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new( + restriction_mode: "NotRestricted" + ) + customer_supplied_config = + Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new( + restriction_mode: "FullyRestricted" + ) + google_managed_config = + Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new( + restriction_mode: "FullyRestricted" + ) + + bucket = storage.create_bucket bucket_name do |b| + b.customer_managed_encryption_enforcement_config = customer_managed_config + b.customer_supplied_encryption_enforcement_config = customer_supplied_config + b.google_managed_encryption_enforcement_config = google_managed_config + end + puts "Created bucket #{bucket.name} with Encryption Enforcement Config." +end +# [END storage_set_encryption_enforcement_config] + +if $PROGRAM_NAME == __FILE__ + set_encryption_enforcement_config bucket_name: ARGV.shift +end diff --git a/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb b/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb index ce617da110e6..9e84cd78e4f8 100644 --- a/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb +++ b/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb @@ -20,6 +20,8 @@ let(:bucket_json) { bucket_hash.to_json } let(:bucket_gapi) { Google::Apis::StorageV1::Bucket.from_json bucket_json } let(:bucket) { Google::Cloud::Storage::Bucket.from_gapi bucket_gapi, storage.service } + let(:kms_key) { "path/to/encryption_key_name" } + describe "customer-supplied encryption key (CSEK)" do let(:encryption_key) { "y\x03\"\x0E\xB6\xD3\x9B\x0E\xAB*\x19\xFAv\xDEY\xBEI\xF8ftA|[z\x1A\xFBE\xDE\x97&\xBC\xC7" } @@ -70,11 +72,9 @@ end describe "KMS customer-managed encryption key (CMEK)" do - let(:kms_key) { "path/to/encryption_key_name" } - it "gets and sets its encryption config" do mock = Minitest::Mock.new - patch_bucket_gapi = Google::Apis::StorageV1::Bucket.new encryption: encryption_gapi(kms_key) + patch_bucket_gapi = Google::Apis::StorageV1::Bucket.new encryption: encryption_gapi(key_name: kms_key) mock.expect :patch_bucket, patch_bucket_gapi, [bucket_name, patch_bucket_gapi], **patch_bucket_args(options: {retries: 0}) bucket.service.mocked_service = mock @@ -88,11 +88,12 @@ it "sets its encryption config to nil" do bucket_gapi_with_key = bucket_gapi.dup - bucket_gapi_with_key.encryption = encryption_gapi(kms_key) + bucket_gapi_with_key.encryption = encryption_gapi(key_name: kms_key) bucket_with_key = Google::Cloud::Storage::Bucket.from_gapi bucket_gapi_with_key, storage.service - patch_bucket_gapi = Google::Apis::StorageV1::Bucket.new encryption: encryption_gapi(nil) mock = Minitest::Mock.new - mock.expect :patch_bucket, bucket_gapi, [bucket_name, patch_bucket_gapi], **patch_bucket_args(options: {retries: 0}) + mock.expect :patch_bucket, bucket_gapi do |name, patch_obj, **args| + name == bucket_name && patch_obj.encryption&.default_kms_key_name.nil? + end bucket_with_key.service.mocked_service = mock @@ -122,7 +123,6 @@ end end - def create_file_gapi bucket=nil, name = nil Google::Apis::StorageV1::Object.from_json random_file_hash(bucket, name).to_json end diff --git a/google-cloud-storage/test/google/cloud/storage/project_test.rb b/google-cloud-storage/test/google/cloud/storage/project_test.rb index 05724226ca34..052c3a77f184 100644 --- a/google-cloud-storage/test/google/cloud/storage/project_test.rb +++ b/google-cloud-storage/test/google/cloud/storage/project_test.rb @@ -389,7 +389,7 @@ def creds.is_a? target it "creates a bucket with block encryption" do mock = Minitest::Mock.new created_bucket = create_bucket_gapi bucket_name - created_bucket.encryption = encryption_gapi(kms_key) + created_bucket.encryption = encryption_gapi(key_name: kms_key) resp_bucket = bucket_with_location created_bucket mock.expect :insert_bucket, resp_bucket, [project, created_bucket], predefined_acl: nil, predefined_default_object_acl: nil, user_project: nil, enable_object_retention: nil, options: {} @@ -1090,6 +1090,82 @@ def stub.insert_bucket *args _(buckets.unreachable).must_be :nil? end + describe "storage encryption enforcement config" do + # set and get customer managed encryption enforcement config and verify + it "sets and gets customer managed bucket encryption enforcement config" do + mock = Minitest::Mock.new + created_bucket = create_bucket_gapi bucket_name + created_bucket.encryption = encryption_gapi(customer_managed_config_restriction_mode: "NotRestricted") + resp_bucket = bucket_with_location created_bucket + mock.expect :insert_bucket, resp_bucket, [project, created_bucket], predefined_acl: nil, predefined_default_object_acl: nil, user_project: nil, enable_object_retention: nil, options: {} + storage.service.mocked_service = mock + bucket = storage.create_bucket bucket_name do |b| + # set customer managed encryption enforcement config + b.customer_managed_encryption_enforcement_config = customer_managed_config(restriction_mode: "NotRestricted") + end + mock.verify + # get customer managed encryption enforcement config and verify + _(bucket.customer_managed_encryption_enforcement_config).wont_be :nil? + _(bucket.customer_managed_encryption_enforcement_config.restriction_mode).must_equal "NotRestricted" + end + + # set customer supplied and google managed encryption enforcement config and verify + it "sets customer supplied and google managed bucket encryption enforcement config" do + mock = Minitest::Mock.new + created_bucket = create_bucket_gapi bucket_name + created_bucket.encryption = encryption_gapi(customer_supplied_config_restriction_mode: "FullyRestricted", google_managed_config_restriction_mode: "NotRestricted" ) + resp_bucket = bucket_with_location created_bucket + mock.expect :insert_bucket, resp_bucket, [project, created_bucket], predefined_acl: nil, predefined_default_object_acl: nil, user_project: nil, enable_object_retention: nil, options: {} + storage.service.mocked_service = mock + + # set customer supplied and google managed encryption enforcement config + bucket = storage.create_bucket bucket_name do |b| + b.customer_supplied_encryption_enforcement_config = customer_supplied_config(restriction_mode: "FullyRestricted") + b.google_managed_encryption_enforcement_config = google_managed_config(restriction_mode: "NotRestricted" ) + end + mock.verify + # get customer supplied and google managed encryption enforcement config and verify + _(bucket.customer_supplied_encryption_enforcement_config).wont_be :nil? + _(bucket.customer_supplied_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" + _(bucket.customer_managed_encryption_enforcement_config).must_be :nil? + end + + # delete customer supplied encryption enforcement config and verify + it "deletes customer supplied encryption enforcement config" do + mock = Minitest::Mock.new + + created_bucket = create_bucket_gapi bucket_name + # Set initial state: FullyRestricted + created_bucket.encryption = encryption_gapi(customer_supplied_config_restriction_mode: "FullyRestricted") + resp_bucket = bucket_with_location created_bucket + + mock.expect :insert_bucket, resp_bucket do |project_id, b_arg, **kwargs| + project_id == project && + b_arg.encryption.customer_supplied_encryption_enforcement_config.restriction_mode == "FullyRestricted" + end + + # Define what the bucket should look like AFTER the delete (config should be nil) + updated_bucket_gapi = create_bucket_gapi bucket_name + updated_bucket_gapi.encryption = encryption_gapi(customer_supplied_config_restriction_mode: nil) + + # We verify that the patch_bucket call is made with a bucket that has NO config + mock.expect :patch_bucket, updated_bucket_gapi do |name, b_arg, **kwargs| + name == bucket_name && + b_arg.encryption.customer_supplied_encryption_enforcement_config.nil? + end + storage.service.mocked_service = mock + + # Create the bucket + bucket = storage.create_bucket bucket_name do |b| + b.customer_supplied_encryption_enforcement_config = customer_supplied_config(restriction_mode: "FullyRestricted") + end + # Perform the deletion + bucket.customer_supplied_encryption_enforcement_config = nil + mock.verify + _(bucket.customer_supplied_encryption_enforcement_config).must_be :nil? + end + end + def bucket_with_location created_bucket, location_type: bucket_location_type resp_bucket = created_bucket.dup diff --git a/google-cloud-storage/test/helper.rb b/google-cloud-storage/test/helper.rb index 5d37f92feb26..93d6d606ad43 100644 --- a/google-cloud-storage/test/helper.rb +++ b/google-cloud-storage/test/helper.rb @@ -243,8 +243,35 @@ def download_http_resp gzip: nil OpenStruct.new(header: headers) end - def encryption_gapi key_name - Google::Apis::StorageV1::Bucket::Encryption.new default_kms_key_name: key_name + def encryption_gapi(key_name: nil, + customer_managed_config_restriction_mode: nil, + customer_supplied_config_restriction_mode: nil, + google_managed_config_restriction_mode: nil) + + cm_config = customer_managed_config(restriction_mode: customer_managed_config_restriction_mode) if customer_managed_config_restriction_mode + cs_config = customer_supplied_config(restriction_mode: customer_supplied_config_restriction_mode) if customer_supplied_config_restriction_mode + gm_config = google_managed_config(restriction_mode: google_managed_config_restriction_mode) if google_managed_config_restriction_mode + + params = { + default_kms_key_name: key_name, + customer_managed_encryption_enforcement_config: cm_config, + customer_supplied_encryption_enforcement_config: cs_config, + google_managed_encryption_enforcement_config: gm_config + }.compact # This removes the nil values so the API doesn't get empty configs + + Google::Apis::StorageV1::Bucket::Encryption.new(**params) + end + + def customer_managed_config restriction_mode: nil + Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: restriction_mode + end + + def customer_supplied_config restriction_mode: nil + Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: restriction_mode + end + + def google_managed_config restriction_mode: nil + Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: restriction_mode end def lifecycle_gapi *rules