From 81a0196d1081c494275ab0cf7a97e3b5fce1d99e Mon Sep 17 00:00:00 2001 From: Shubhangi Singh Date: Wed, 18 Feb 2026 12:31:17 +0000 Subject: [PATCH 1/8] adding functionality --- .../lib/google/cloud/storage/bucket.rb | 68 +++++++++++++++++++ .../samples/acceptance/buckets_test.rb | 39 +++++++++++ ...orage_get_encryption_enforcement_config.rb | 33 +++++++++ ...emove_all_encryption_enforcement_config.rb | 34 ++++++++++ ...orage_set_encryption_enforcement_config.rb | 37 ++++++++++ 5 files changed, 211 insertions(+) create mode 100644 google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb create mode 100644 google-cloud-storage/samples/storage_remove_all_encryption_enforcement_config.rb create mode 100644 google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb diff --git a/google-cloud-storage/lib/google/cloud/storage/bucket.rb b/google-cloud-storage/lib/google/cloud/storage/bucket.rb index ca8461354bb7..c699c6e8a1d0 100644 --- a/google-cloud-storage/lib/google/cloud/storage/bucket.rb +++ b/google-cloud-storage/lib/google/cloud/storage/bucket.rb @@ -717,6 +717,74 @@ def default_kms_key= new_default_kms_key patch_gapi! :encryption end + # The bucket's encryption configuration for customer-managed encryption keys. + # This configuration defines the + # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket. + # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/). + # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] The bucket's encryption configuration, or `nil` if no encryption configuration has been set. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" + + def customer_managed_encryption_enforcement_config + @gapi.encryption&.customer_managed_encryption_enforcement_config + end + + def customer_managed_encryption_enforcement_config= new_customer_managed_encryption_enforcement_config + @gapi.encryption = API::Bucket::Encryption.new \ + customer_managed_encryption_enforcement_config: new_customer_managed_encryption_enforcement_config + patch_gapi! :encryption + end + + # The bucket's encryption configuration for customer-supplied encryption keys. This configuration defines the + # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket. + # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/). + # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] The bucket's encryption configuration, or `nil` if no encryption configuration has been set. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" + + def customer_supplied_encryption_enforcement_config + @gapi.encryption&.customer_supplied_encryption_enforcement_config + end + + def customer_supplied_encryption_enforcement_config= new_customer_supplied_encryption_enforcement_config + @gapi.encryption = API::Bucket::Encryption.new \ + customer_supplied_encryption_enforcement_config: new_customer_supplied_encryption_enforcement_config + patch_gapi! :encryption + end + + # The bucket's encryption configuration for google-managed encryption keys. + # This configuration defines the + # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket. + # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/). + # @return [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil] The bucket's encryption configuration, or `nil` if no encryption configuration has been set. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEGoogleManagedEncryptionEnforcementConfigncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" + + def google_managed_encryption_enforcement_config + @gapi.encryption&.google_managed_encryption_enforcement_config + end + + def google_managed_encryption_enforcement_config= new_google_managed_encryption_enforcement_config + @gapi.encryption = API::Bucket::Encryption.new \ + google_managed_encryption_enforcement_config: new_google_managed_encryption_enforcement_config + patch_gapi! :encryption + end + ## # The period of time (in seconds) that files in the bucket must be # retained, and cannot be deleted, overwritten, or archived. diff --git a/google-cloud-storage/samples/acceptance/buckets_test.rb b/google-cloud-storage/samples/acceptance/buckets_test.rb index bb78ba9bbe44..af5befb18a3d 100644 --- a/google-cloud-storage/samples/acceptance/buckets_test.rb +++ b/google-cloud-storage/samples/acceptance/buckets_test.rb @@ -37,6 +37,7 @@ require_relative "../storage_get_bucket_class_and_location" require_relative "../storage_get_bucket_metadata" require_relative "../storage_get_default_event_based_hold" +require_relative "../storage_get_encryption_enforcement_config" require_relative "../storage_get_public_access_prevention" require_relative "../storage_get_requester_pays_status" require_relative "../storage_get_retention_policy" @@ -48,6 +49,8 @@ require_relative "../storage_remove_cors_configuration" require_relative "../storage_remove_retention_policy" require_relative "../storage_set_bucket_default_kms_key" +require_relative "../storage_set_encryption_enforcement_config" +require_relative "../storage_remove_all_encryption_enforcement_config" require_relative "../storage_set_object_retention_policy" require_relative "../storage_set_public_access_prevention_enforced" require_relative "../storage_set_public_access_prevention_inherited" @@ -169,6 +172,42 @@ end end + describe "storage_set_encryption_enforcement_config" do + bucket_name = random_bucket_name + + it "creates bucket with encryption enforcement config" do + expected = "Created bucket #{bucket_name} with Encryption Enforcement Config.\n" + + retry_resource_exhaustion do + assert_output expected do + set_encryption_enforcement_config bucket_name: bucket_name + end + end + + expected = "Encryption Enforcement Config for bucket #{bucket_name}:\n" \ + "Customer-managed encryption enforcement config restriction mode: NotRestricted\n" \ + "Customer-supplied encryption enforcement config restriction mode: FullyRestricted\n" \ + "Google-managed encryption enforcement config restriction mode: FullyRestricted\n" + retry_resource_exhaustion do + assert_output expected do + get_encryption_enforcement_config bucket_name: bucket_name + end + end + + expected = "Removed Encryption Enforcement Config from bucket #{bucket_name}.\n" + + retry_resource_exhaustion do + assert_output expected do + remove_all_encryption_enforcement_config bucket_name: bucket_name + end + end + + + refute_nil storage_client.bucket bucket_name + end + delete_bucket_helper bucket_name + end + describe "storage_create_bucket_with_object_retention" do it "creates a bucket with object retention enabled." do bucket_name = random_bucket_name diff --git a/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb b/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb new file mode 100644 index 000000000000..bd88fd73e82d --- /dev/null +++ b/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb @@ -0,0 +1,33 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# [START storage_get_encryption_enforcement_config] +def get_encryption_enforcement_config bucket_name: + # The ID to give your GCS bucket + # bucket_name = "your-unique-bucket-name" + + require "google/cloud/storage" + + storage = Google::Cloud::Storage.new + bucket = storage.bucket bucket_name + puts "Encryption Enforcement Config for bucket #{bucket.name}:" + puts "Customer-managed encryption enforcement config restriction mode: #{bucket.customer_managed_encryption_enforcement_config.restriction_mode}" + puts "Customer-supplied encryption enforcement config restriction mode: #{bucket.customer_supplied_encryption_enforcement_config.restriction_mode}" + puts "Google-managed encryption enforcement config restriction mode: #{bucket.google_managed_encryption_enforcement_config.restriction_mode}" +end +# [END storage_get_encryption_enforcement_config] + +if $PROGRAM_NAME == __FILE__ + get_encryption_enforcement_config bucket_name: ARGV.shift +end diff --git a/google-cloud-storage/samples/storage_remove_all_encryption_enforcement_config.rb b/google-cloud-storage/samples/storage_remove_all_encryption_enforcement_config.rb new file mode 100644 index 000000000000..781e86c48451 --- /dev/null +++ b/google-cloud-storage/samples/storage_remove_all_encryption_enforcement_config.rb @@ -0,0 +1,34 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# [START storage_remove_all_encryption_enforcement_config] +def remove_all_encryption_enforcement_config bucket_name: + # The ID to give your GCS bucket + # bucket_name = "your-unique-bucket-name" + + require "google/cloud/storage" + + storage = Google::Cloud::Storage.new + bucket = storage.bucket bucket_name do |b| + b.customer_managed_encryption_enforcement_config = nil + b.customer_supplied_encryption_enforcement_config = nil + b.google_managed_encryption_enforcement_config = nil + end + puts "Removed Encryption Enforcement Config from bucket #{bucket.name}." +end +# [END storage_remove_all_encryption_enforcement_config] + +if $PROGRAM_NAME == __FILE__ + remove_all_encryption_enforcement_config bucket_name: ARGV.shift +end diff --git a/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb b/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb new file mode 100644 index 000000000000..9098a008921f --- /dev/null +++ b/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb @@ -0,0 +1,37 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# [START storage_set_encryption_enforcement_config] +def set_encryption_enforcement_config bucket_name:, restriction_mode: nil + # The ID to give your GCS bucket + # bucket_name = "your-unique-bucket-name" + + require "google/cloud/storage" + + storage = Google::Cloud::Storage.new + + customer_managed_encryption_enforcement_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + customer_supplied_encryption_enforcement_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + google_managed_encryption_enforcement_config = Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + bucket = storage.create_bucket bucket_name + bucket.customer_managed_encryption_enforcement_config = customer_managed_encryption_enforcement_config + bucket.customer_supplied_encryption_enforcement_config = customer_supplied_encryption_enforcement_config + bucket.google_managed_encryption_enforcement_config = google_managed_encryption_enforcement_config + puts "Created bucket #{bucket.name} with Encryption Enforcement Config." +end +# [END storage_set_encryption_enforcement_config] + +if $PROGRAM_NAME == __FILE__ + set_encryption_enforcement_config bucket_name: ARGV.shift +end From cc83d38f31478198ea68c184ad31d51d647d8714 Mon Sep 17 00:00:00 2001 From: Shubhangi Singh Date: Thu, 19 Feb 2026 19:18:05 +0000 Subject: [PATCH 2/8] adding acceptance tests --- .../acceptance/storage/bucket_test.rb | 55 +++++++++++++++++++ .../lib/google/cloud/storage/bucket.rb | 24 +++++--- .../samples/acceptance/buckets_test.rb | 14 +++-- ...orage_set_encryption_enforcement_config.rb | 27 ++++++--- 4 files changed, 97 insertions(+), 23 deletions(-) diff --git a/google-cloud-storage/acceptance/storage/bucket_test.rb b/google-cloud-storage/acceptance/storage/bucket_test.rb index ea99e617db26..e2967e8ebfa4 100644 --- a/google-cloud-storage/acceptance/storage/bucket_test.rb +++ b/google-cloud-storage/acceptance/storage/bucket_test.rb @@ -385,4 +385,59 @@ _(storage.bucket(hns_bucket_name)).must_be :nil? end + + describe "bucket encryption enforcement config" do + customer_supplied_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + customer_managed_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + google_managed_config = Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + + after do + safe_gcs_execute { bucket.delete } + end + it "gets, sets and clears customer supplied encryption enforcement config" do + # set customer supplied encryption enforcement config to bucket + bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config + bucket.reload! + # get customer supplied encryption enforcement config from bucket and verify its values + _(bucket.customer_supplied_encryption_enforcement_config).wont_be_nil + _(bucket.customer_supplied_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" + # clear customer supplied encryption enforcement config from bucket + bucket.customer_supplied_encryption_enforcement_config = nil + bucket.reload! + _(bucket.customer_supplied_encryption_enforcement_config).must_be_nil + end + + it "gets, sets and clears customer managed encryption enforcement config" do + # set customer managed encryption enforcement config to bucket + bucket.customer_managed_encryption_enforcement_config = customer_managed_config + bucket.reload! + # get customer managed encryption enforcement config from bucket and verify its values + _(bucket.customer_managed_encryption_enforcement_config).wont_be_nil + _(bucket.customer_managed_encryption_enforcement_config.restriction_mode).must_equal "NotRestricted" + # clear customer managed encryption enforcement config from bucket + bucket.customer_managed_encryption_enforcement_config = nil + bucket.reload! + _(bucket.customer_managed_encryption_enforcement_config).must_be_nil + end + + it "gets, sets and clears google managed encryption enforcement config" do + # set google managed encryption enforcement config to bucket + bucket.google_managed_encryption_enforcement_config = google_managed_config + bucket.reload! + # get google managed encryption enforcement config from bucket and verify its values + _(bucket.google_managed_encryption_enforcement_config).wont_be_nil + _(bucket.google_managed_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" + # clear google managed encryption enforcement config from bucket + bucket.google_managed_encryption_enforcement_config = nil + bucket.reload! + _(bucket.google_managed_encryption_enforcement_config).must_be_nil + end + + it "raises error when setting invalid encryption enforcement config" do + customer_supplied_config1 = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "test" + expect {bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config1}.must_raise Google::Cloud::InvalidArgumentError + end + end end + + diff --git a/google-cloud-storage/lib/google/cloud/storage/bucket.rb b/google-cloud-storage/lib/google/cloud/storage/bucket.rb index c699c6e8a1d0..d4d39ed2733d 100644 --- a/google-cloud-storage/lib/google/cloud/storage/bucket.rb +++ b/google-cloud-storage/lib/google/cloud/storage/bucket.rb @@ -727,7 +727,8 @@ def default_kms_key= new_default_kms_key # # # storage = Google::Cloud::Storage.new # bucket = storage.bucket "my-bucket" - # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new + # restriction_mode: "NotRestricted" # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" def customer_managed_encryption_enforcement_config @@ -735,8 +736,9 @@ def customer_managed_encryption_enforcement_config end def customer_managed_encryption_enforcement_config= new_customer_managed_encryption_enforcement_config - @gapi.encryption = API::Bucket::Encryption.new \ - customer_managed_encryption_enforcement_config: new_customer_managed_encryption_enforcement_config + @gapi.encryption ||= API::Bucket::Encryption.new + @gapi.encryption.customer_managed_encryption_enforcement_config = + new_customer_managed_encryption_enforcement_config patch_gapi! :encryption end @@ -749,7 +751,8 @@ def customer_managed_encryption_enforcement_config= new_customer_managed_encrypt # # # storage = Google::Cloud::Storage.new # bucket = storage.bucket "my-bucket" - # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new + # restriction_mode: "NotRestricted" # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" def customer_supplied_encryption_enforcement_config @@ -757,8 +760,9 @@ def customer_supplied_encryption_enforcement_config end def customer_supplied_encryption_enforcement_config= new_customer_supplied_encryption_enforcement_config - @gapi.encryption = API::Bucket::Encryption.new \ - customer_supplied_encryption_enforcement_config: new_customer_supplied_encryption_enforcement_config + @gapi.encryption ||= API::Bucket::Encryption.new + @gapi.encryption.customer_supplied_encryption_enforcement_config = + new_customer_supplied_encryption_enforcement_config patch_gapi! :encryption end @@ -772,7 +776,8 @@ def customer_supplied_encryption_enforcement_config= new_customer_supplied_encry # # # storage = Google::Cloud::Storage.new # bucket = storage.bucket "my-bucket" - # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEGoogleManagedEncryptionEnforcementConfigncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new + # restriction_mode: "NotRestricted" # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" def google_managed_encryption_enforcement_config @@ -780,8 +785,9 @@ def google_managed_encryption_enforcement_config end def google_managed_encryption_enforcement_config= new_google_managed_encryption_enforcement_config - @gapi.encryption = API::Bucket::Encryption.new \ - google_managed_encryption_enforcement_config: new_google_managed_encryption_enforcement_config + @gapi.encryption ||= API::Bucket::Encryption.new + @gapi.encryption.google_managed_encryption_enforcement_config = + new_google_managed_encryption_enforcement_config patch_gapi! :encryption end diff --git a/google-cloud-storage/samples/acceptance/buckets_test.rb b/google-cloud-storage/samples/acceptance/buckets_test.rb index af5befb18a3d..b859d9bef961 100644 --- a/google-cloud-storage/samples/acceptance/buckets_test.rb +++ b/google-cloud-storage/samples/acceptance/buckets_test.rb @@ -172,10 +172,11 @@ end end - describe "storage_set_encryption_enforcement_config" do + describe "storage_encryption_enforcement_config" do bucket_name = random_bucket_name - it "creates bucket with encryption enforcement config" do + it "gets, sets and clears bucket encryption enforcement config" do + # creates bucket with encryption enforcement config expected = "Created bucket #{bucket_name} with Encryption Enforcement Config.\n" retry_resource_exhaustion do @@ -183,7 +184,8 @@ set_encryption_enforcement_config bucket_name: bucket_name end end - + + # get encryption enforcement config expected = "Encryption Enforcement Config for bucket #{bucket_name}:\n" \ "Customer-managed encryption enforcement config restriction mode: NotRestricted\n" \ "Customer-supplied encryption enforcement config restriction mode: FullyRestricted\n" \ @@ -193,8 +195,9 @@ get_encryption_enforcement_config bucket_name: bucket_name end end - - expected = "Removed Encryption Enforcement Config from bucket #{bucket_name}.\n" + + # clears encryption enforcement config + expected = "Removed Encryption Enforcement Config from bucket #{bucket_name}.\n" retry_resource_exhaustion do assert_output expected do @@ -202,7 +205,6 @@ end end - refute_nil storage_client.bucket bucket_name end delete_bucket_helper bucket_name diff --git a/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb b/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb index 9098a008921f..391f67e7af4b 100644 --- a/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb +++ b/google-cloud-storage/samples/storage_set_encryption_enforcement_config.rb @@ -13,7 +13,7 @@ # limitations under the License. # [START storage_set_encryption_enforcement_config] -def set_encryption_enforcement_config bucket_name:, restriction_mode: nil +def set_encryption_enforcement_config bucket_name: # The ID to give your GCS bucket # bucket_name = "your-unique-bucket-name" @@ -21,13 +21,24 @@ def set_encryption_enforcement_config bucket_name:, restriction_mode: nil storage = Google::Cloud::Storage.new - customer_managed_encryption_enforcement_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" - customer_supplied_encryption_enforcement_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" - google_managed_encryption_enforcement_config = Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" - bucket = storage.create_bucket bucket_name - bucket.customer_managed_encryption_enforcement_config = customer_managed_encryption_enforcement_config - bucket.customer_supplied_encryption_enforcement_config = customer_supplied_encryption_enforcement_config - bucket.google_managed_encryption_enforcement_config = google_managed_encryption_enforcement_config + customer_managed_config = + Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new( + restriction_mode: "NotRestricted" + ) + customer_supplied_config = + Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new( + restriction_mode: "FullyRestricted" + ) + google_managed_config = + Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new( + restriction_mode: "FullyRestricted" + ) + + bucket = storage.create_bucket bucket_name do |b| + b.customer_managed_encryption_enforcement_config = customer_managed_config + b.customer_supplied_encryption_enforcement_config = customer_supplied_config + b.google_managed_encryption_enforcement_config = google_managed_config + end puts "Created bucket #{bucket.name} with Encryption Enforcement Config." end # [END storage_set_encryption_enforcement_config] From d71ed4243b5b1b39a82cba50ff6c767da59db659 Mon Sep 17 00:00:00 2001 From: Shubhangi Singh Date: Thu, 19 Feb 2026 19:31:12 +0000 Subject: [PATCH 3/8] lint fix --- google-cloud-storage/acceptance/storage/bucket_test.rb | 2 -- google-cloud-storage/lib/google/cloud/storage/bucket.rb | 6 +++--- google-cloud-storage/samples/acceptance/buckets_test.rb | 4 ++-- .../samples/storage_get_encryption_enforcement_config.rb | 9 ++++++--- 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/google-cloud-storage/acceptance/storage/bucket_test.rb b/google-cloud-storage/acceptance/storage/bucket_test.rb index e2967e8ebfa4..c2cb6c9d2b2c 100644 --- a/google-cloud-storage/acceptance/storage/bucket_test.rb +++ b/google-cloud-storage/acceptance/storage/bucket_test.rb @@ -439,5 +439,3 @@ end end end - - diff --git a/google-cloud-storage/lib/google/cloud/storage/bucket.rb b/google-cloud-storage/lib/google/cloud/storage/bucket.rb index d4d39ed2733d..612a979c87d3 100644 --- a/google-cloud-storage/lib/google/cloud/storage/bucket.rb +++ b/google-cloud-storage/lib/google/cloud/storage/bucket.rb @@ -751,7 +751,7 @@ def customer_managed_encryption_enforcement_config= new_customer_managed_encrypt # # # storage = Google::Cloud::Storage.new # bucket = storage.bucket "my-bucket" - # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new + # bucket.customer_supplied_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new # restriction_mode: "NotRestricted" # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" @@ -766,7 +766,7 @@ def customer_supplied_encryption_enforcement_config= new_customer_supplied_encry patch_gapi! :encryption end - # The bucket's encryption configuration for google-managed encryption keys. + # The bucket's encryption configuration for google-managed encryption keys. # This configuration defines the # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket. # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/). @@ -776,7 +776,7 @@ def customer_supplied_encryption_enforcement_config= new_customer_supplied_encry # # # storage = Google::Cloud::Storage.new # bucket = storage.bucket "my-bucket" - # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new + # bucket.google_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new # restriction_mode: "NotRestricted" # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" diff --git a/google-cloud-storage/samples/acceptance/buckets_test.rb b/google-cloud-storage/samples/acceptance/buckets_test.rb index b859d9bef961..e30b0cfb79d3 100644 --- a/google-cloud-storage/samples/acceptance/buckets_test.rb +++ b/google-cloud-storage/samples/acceptance/buckets_test.rb @@ -184,7 +184,7 @@ set_encryption_enforcement_config bucket_name: bucket_name end end - + # get encryption enforcement config expected = "Encryption Enforcement Config for bucket #{bucket_name}:\n" \ "Customer-managed encryption enforcement config restriction mode: NotRestricted\n" \ @@ -195,7 +195,7 @@ get_encryption_enforcement_config bucket_name: bucket_name end end - + # clears encryption enforcement config expected = "Removed Encryption Enforcement Config from bucket #{bucket_name}.\n" diff --git a/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb b/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb index bd88fd73e82d..652610cc4553 100644 --- a/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb +++ b/google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb @@ -22,9 +22,12 @@ def get_encryption_enforcement_config bucket_name: storage = Google::Cloud::Storage.new bucket = storage.bucket bucket_name puts "Encryption Enforcement Config for bucket #{bucket.name}:" - puts "Customer-managed encryption enforcement config restriction mode: #{bucket.customer_managed_encryption_enforcement_config.restriction_mode}" - puts "Customer-supplied encryption enforcement config restriction mode: #{bucket.customer_supplied_encryption_enforcement_config.restriction_mode}" - puts "Google-managed encryption enforcement config restriction mode: #{bucket.google_managed_encryption_enforcement_config.restriction_mode}" + puts "Customer-managed encryption enforcement config restriction mode: " \ + "#{bucket.customer_managed_encryption_enforcement_config&.restriction_mode}" + puts "Customer-supplied encryption enforcement config restriction mode: " \ + "#{bucket.customer_supplied_encryption_enforcement_config&.restriction_mode}" + puts "Google-managed encryption enforcement config restriction mode: " \ + "#{bucket.google_managed_encryption_enforcement_config&.restriction_mode}" end # [END storage_get_encryption_enforcement_config] From 1d6163e8383e4992f1c8ae9cda1666a95e5768a5 Mon Sep 17 00:00:00 2001 From: Shubhangi Singh Date: Thu, 19 Feb 2026 19:51:50 +0000 Subject: [PATCH 4/8] fix docs --- .../lib/google/cloud/storage/bucket.rb | 55 ++++++++++++++++--- 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/google-cloud-storage/lib/google/cloud/storage/bucket.rb b/google-cloud-storage/lib/google/cloud/storage/bucket.rb index 612a979c87d3..17e6bae808f7 100644 --- a/google-cloud-storage/lib/google/cloud/storage/bucket.rb +++ b/google-cloud-storage/lib/google/cloud/storage/bucket.rb @@ -729,12 +729,23 @@ def default_kms_key= new_default_kms_key # bucket = storage.bucket "my-bucket" # bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new # restriction_mode: "NotRestricted" - # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted" def customer_managed_encryption_enforcement_config @gapi.encryption&.customer_managed_encryption_enforcement_config end + # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files. + # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] new_customer_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + # bucket.customer_managed_encryption_enforcement_config = new_config + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted" + def customer_managed_encryption_enforcement_config= new_customer_managed_encryption_enforcement_config @gapi.encryption ||= API::Bucket::Encryption.new @gapi.encryption.customer_managed_encryption_enforcement_config = @@ -742,10 +753,13 @@ def customer_managed_encryption_enforcement_config= new_customer_managed_encrypt patch_gapi! :encryption end + ## # The bucket's encryption configuration for customer-supplied encryption keys. This configuration defines the - # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket. + # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements + # for the bucket. # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/). - # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] The bucket's encryption configuration, or `nil` if no encryption configuration has been set. + # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] + # The bucket's encryption configuration, or `nil` if no encryption configuration has been set. # @example # require "google/cloud/storage" # # @@ -753,12 +767,24 @@ def customer_managed_encryption_enforcement_config= new_customer_managed_encrypt # bucket = storage.bucket "my-bucket" # bucket.customer_supplied_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new # restriction_mode: "NotRestricted" - # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted". def customer_supplied_encryption_enforcement_config @gapi.encryption&.customer_supplied_encryption_enforcement_config end + ## + # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files. + # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] new_customer_supplied_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + # bucket.customer_supplied_encryption_enforcement_config = new_config + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted" + def customer_supplied_encryption_enforcement_config= new_customer_supplied_encryption_enforcement_config @gapi.encryption ||= API::Bucket::Encryption.new @gapi.encryption.customer_supplied_encryption_enforcement_config = @@ -766,11 +792,14 @@ def customer_supplied_encryption_enforcement_config= new_customer_supplied_encry patch_gapi! :encryption end + ## # The bucket's encryption configuration for google-managed encryption keys. # This configuration defines the - # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket. + # default encryption behavior for the bucket and its files, and it can be used to enforce encryption + # requirements for the bucket. # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/). - # @return [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil] The bucket's encryption configuration, or `nil` if no encryption configuration has been set. + # @return [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil] + # The bucket's encryption configuration, or `nil` if no encryption configuration has been set. # @example # require "google/cloud/storage" # # @@ -778,12 +807,24 @@ def customer_supplied_encryption_enforcement_config= new_customer_supplied_encry # bucket = storage.bucket "my-bucket" # bucket.google_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new # restriction_mode: "NotRestricted" - # allowed restriction_mode for all the config will be "NotRestricted" or "FullyRestricted" + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted". def google_managed_encryption_enforcement_config @gapi.encryption&.google_managed_encryption_enforcement_config end + ## + # Sets the bucket's encryption configuration for google-managed encryption that will be used to protect files. + # @param [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil] new_google_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration. + # @example + # require "google/cloud/storage" + # # + # storage = Google::Cloud::Storage.new + # bucket = storage.bucket "my-bucket" + # new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + # bucket.google_managed_encryption_enforcement_config = new_config + # The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted" + def google_managed_encryption_enforcement_config= new_google_managed_encryption_enforcement_config @gapi.encryption ||= API::Bucket::Encryption.new @gapi.encryption.google_managed_encryption_enforcement_config = From f8045673fcaf73600efb3e3be2a8321990e190f3 Mon Sep 17 00:00:00 2001 From: Shubhangi Singh Date: Mon, 23 Feb 2026 08:14:58 +0000 Subject: [PATCH 5/8] adding unit test --- .../test/google/cloud/storage/project_test.rb | 78 ++++++++++++++++++- google-cloud-storage/test/helper.rb | 31 +++++++- 2 files changed, 106 insertions(+), 3 deletions(-) diff --git a/google-cloud-storage/test/google/cloud/storage/project_test.rb b/google-cloud-storage/test/google/cloud/storage/project_test.rb index 05724226ca34..052c3a77f184 100644 --- a/google-cloud-storage/test/google/cloud/storage/project_test.rb +++ b/google-cloud-storage/test/google/cloud/storage/project_test.rb @@ -389,7 +389,7 @@ def creds.is_a? target it "creates a bucket with block encryption" do mock = Minitest::Mock.new created_bucket = create_bucket_gapi bucket_name - created_bucket.encryption = encryption_gapi(kms_key) + created_bucket.encryption = encryption_gapi(key_name: kms_key) resp_bucket = bucket_with_location created_bucket mock.expect :insert_bucket, resp_bucket, [project, created_bucket], predefined_acl: nil, predefined_default_object_acl: nil, user_project: nil, enable_object_retention: nil, options: {} @@ -1090,6 +1090,82 @@ def stub.insert_bucket *args _(buckets.unreachable).must_be :nil? end + describe "storage encryption enforcement config" do + # set and get customer managed encryption enforcement config and verify + it "sets and gets customer managed bucket encryption enforcement config" do + mock = Minitest::Mock.new + created_bucket = create_bucket_gapi bucket_name + created_bucket.encryption = encryption_gapi(customer_managed_config_restriction_mode: "NotRestricted") + resp_bucket = bucket_with_location created_bucket + mock.expect :insert_bucket, resp_bucket, [project, created_bucket], predefined_acl: nil, predefined_default_object_acl: nil, user_project: nil, enable_object_retention: nil, options: {} + storage.service.mocked_service = mock + bucket = storage.create_bucket bucket_name do |b| + # set customer managed encryption enforcement config + b.customer_managed_encryption_enforcement_config = customer_managed_config(restriction_mode: "NotRestricted") + end + mock.verify + # get customer managed encryption enforcement config and verify + _(bucket.customer_managed_encryption_enforcement_config).wont_be :nil? + _(bucket.customer_managed_encryption_enforcement_config.restriction_mode).must_equal "NotRestricted" + end + + # set customer supplied and google managed encryption enforcement config and verify + it "sets customer supplied and google managed bucket encryption enforcement config" do + mock = Minitest::Mock.new + created_bucket = create_bucket_gapi bucket_name + created_bucket.encryption = encryption_gapi(customer_supplied_config_restriction_mode: "FullyRestricted", google_managed_config_restriction_mode: "NotRestricted" ) + resp_bucket = bucket_with_location created_bucket + mock.expect :insert_bucket, resp_bucket, [project, created_bucket], predefined_acl: nil, predefined_default_object_acl: nil, user_project: nil, enable_object_retention: nil, options: {} + storage.service.mocked_service = mock + + # set customer supplied and google managed encryption enforcement config + bucket = storage.create_bucket bucket_name do |b| + b.customer_supplied_encryption_enforcement_config = customer_supplied_config(restriction_mode: "FullyRestricted") + b.google_managed_encryption_enforcement_config = google_managed_config(restriction_mode: "NotRestricted" ) + end + mock.verify + # get customer supplied and google managed encryption enforcement config and verify + _(bucket.customer_supplied_encryption_enforcement_config).wont_be :nil? + _(bucket.customer_supplied_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" + _(bucket.customer_managed_encryption_enforcement_config).must_be :nil? + end + + # delete customer supplied encryption enforcement config and verify + it "deletes customer supplied encryption enforcement config" do + mock = Minitest::Mock.new + + created_bucket = create_bucket_gapi bucket_name + # Set initial state: FullyRestricted + created_bucket.encryption = encryption_gapi(customer_supplied_config_restriction_mode: "FullyRestricted") + resp_bucket = bucket_with_location created_bucket + + mock.expect :insert_bucket, resp_bucket do |project_id, b_arg, **kwargs| + project_id == project && + b_arg.encryption.customer_supplied_encryption_enforcement_config.restriction_mode == "FullyRestricted" + end + + # Define what the bucket should look like AFTER the delete (config should be nil) + updated_bucket_gapi = create_bucket_gapi bucket_name + updated_bucket_gapi.encryption = encryption_gapi(customer_supplied_config_restriction_mode: nil) + + # We verify that the patch_bucket call is made with a bucket that has NO config + mock.expect :patch_bucket, updated_bucket_gapi do |name, b_arg, **kwargs| + name == bucket_name && + b_arg.encryption.customer_supplied_encryption_enforcement_config.nil? + end + storage.service.mocked_service = mock + + # Create the bucket + bucket = storage.create_bucket bucket_name do |b| + b.customer_supplied_encryption_enforcement_config = customer_supplied_config(restriction_mode: "FullyRestricted") + end + # Perform the deletion + bucket.customer_supplied_encryption_enforcement_config = nil + mock.verify + _(bucket.customer_supplied_encryption_enforcement_config).must_be :nil? + end + end + def bucket_with_location created_bucket, location_type: bucket_location_type resp_bucket = created_bucket.dup diff --git a/google-cloud-storage/test/helper.rb b/google-cloud-storage/test/helper.rb index 5d37f92feb26..93d6d606ad43 100644 --- a/google-cloud-storage/test/helper.rb +++ b/google-cloud-storage/test/helper.rb @@ -243,8 +243,35 @@ def download_http_resp gzip: nil OpenStruct.new(header: headers) end - def encryption_gapi key_name - Google::Apis::StorageV1::Bucket::Encryption.new default_kms_key_name: key_name + def encryption_gapi(key_name: nil, + customer_managed_config_restriction_mode: nil, + customer_supplied_config_restriction_mode: nil, + google_managed_config_restriction_mode: nil) + + cm_config = customer_managed_config(restriction_mode: customer_managed_config_restriction_mode) if customer_managed_config_restriction_mode + cs_config = customer_supplied_config(restriction_mode: customer_supplied_config_restriction_mode) if customer_supplied_config_restriction_mode + gm_config = google_managed_config(restriction_mode: google_managed_config_restriction_mode) if google_managed_config_restriction_mode + + params = { + default_kms_key_name: key_name, + customer_managed_encryption_enforcement_config: cm_config, + customer_supplied_encryption_enforcement_config: cs_config, + google_managed_encryption_enforcement_config: gm_config + }.compact # This removes the nil values so the API doesn't get empty configs + + Google::Apis::StorageV1::Bucket::Encryption.new(**params) + end + + def customer_managed_config restriction_mode: nil + Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: restriction_mode + end + + def customer_supplied_config restriction_mode: nil + Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: restriction_mode + end + + def google_managed_config restriction_mode: nil + Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: restriction_mode end def lifecycle_gapi *rules From 289ee1848c26c1264f6cce93bdbfcc58c9e942e9 Mon Sep 17 00:00:00 2001 From: Shubhangi Singh Date: Wed, 25 Feb 2026 11:01:33 +0000 Subject: [PATCH 6/8] adding tests --- .../storage/bucket_encryption_test.rb | 105 ++++++++++++++---- .../acceptance/storage/bucket_test.rb | 53 --------- 2 files changed, 85 insertions(+), 73 deletions(-) diff --git a/google-cloud-storage/acceptance/storage/bucket_encryption_test.rb b/google-cloud-storage/acceptance/storage/bucket_encryption_test.rb index 7760e2107ed8..5fdc1729a7ca 100644 --- a/google-cloud-storage/acceptance/storage/bucket_encryption_test.rb +++ b/google-cloud-storage/acceptance/storage/bucket_encryption_test.rb @@ -31,14 +31,14 @@ b end - before do + before(:all) do # always create the bucket - bucket + @bucket = bucket end - after do - bucket.files.all &:delete - safe_gcs_execute { bucket.delete } + after(:all) do + @bucket.files.all &:delete + safe_gcs_execute { @bucket.delete } end let(:files) do @@ -48,27 +48,92 @@ describe "KMS customer-managed encryption key (CMEK)" do it "knows its encryption configuration" do - _(bucket.default_kms_key).wont_be :nil? - _(bucket.default_kms_key).must_equal kms_key - bucket.reload! - _(bucket.default_kms_key).wont_be :nil? - _(bucket.default_kms_key).must_equal kms_key + _(@bucket.default_kms_key).wont_be :nil? + _(@bucket.default_kms_key).must_equal kms_key + @bucket.reload! + _(@bucket.default_kms_key).wont_be :nil? + _(@bucket.default_kms_key).must_equal kms_key end it "can update its default kms key to another key" do - _(bucket.default_kms_key).must_equal kms_key - bucket.default_kms_key = kms_key_2 - _(bucket.default_kms_key).must_equal kms_key_2 - bucket.reload! - _(bucket.default_kms_key).must_equal kms_key_2 + _(@bucket.default_kms_key).must_equal kms_key + @bucket.default_kms_key = kms_key_2 + _(@bucket.default_kms_key).must_equal kms_key_2 + @bucket.reload! + _(@bucket.default_kms_key).must_equal kms_key_2 end it "can remove its default kms key by setting encryption to nil" do - _(bucket.default_kms_key).must_equal kms_key - bucket.default_kms_key = nil - _(bucket.default_kms_key).must_be :nil? - bucket.reload! - _(bucket.default_kms_key).must_be :nil? + _(@bucket.default_kms_key).must_equal kms_key + @bucket.default_kms_key = nil + _(@bucket.default_kms_key).must_be :nil? + @bucket.reload! + _(@bucket.default_kms_key).must_be :nil? + end + end + + describe "bucket encryption enforcement config" do + customer_supplied_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + customer_managed_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" + google_managed_config = Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" + + it "gets, sets and clears customer supplied encryption enforcement config" do + # set customer supplied encryption enforcement config to bucket + @bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config + @bucket.reload! + # get customer supplied encryption enforcement config from bucket and verify its values + _(@bucket.customer_supplied_encryption_enforcement_config).wont_be_nil + _(@bucket.customer_supplied_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" + # clear customer supplied encryption enforcement config from bucket + @bucket.customer_supplied_encryption_enforcement_config = nil + @bucket.reload! + _(@bucket.customer_supplied_encryption_enforcement_config).must_be_nil + end + + it "gets, sets and clears customer managed encryption enforcement config" do + # set customer managed encryption enforcement config to bucket + @bucket.customer_managed_encryption_enforcement_config = customer_managed_config + @bucket.reload! + # get customer managed encryption enforcement config from bucket and verify its values + _(@bucket.customer_managed_encryption_enforcement_config).wont_be_nil + _(@bucket.customer_managed_encryption_enforcement_config.restriction_mode).must_equal "NotRestricted" + # clear customer managed encryption enforcement config from bucket + @bucket.customer_managed_encryption_enforcement_config = nil + @bucket.reload! + _(@bucket.customer_managed_encryption_enforcement_config).must_be_nil + end + + it "gets, sets and clears google managed encryption enforcement config" do + # set google managed encryption enforcement config to bucket + @bucket.google_managed_encryption_enforcement_config = google_managed_config + @bucket.reload! + # get google managed encryption enforcement config from bucket and verify its values + _(@bucket.google_managed_encryption_enforcement_config).wont_be_nil + _(@bucket.google_managed_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" + # clear google managed encryption enforcement config from bucket + @bucket.google_managed_encryption_enforcement_config = nil + @bucket.reload! + _(@bucket.google_managed_encryption_enforcement_config).must_be_nil + end + + it "raises error when setting invalid encryption enforcement config" do + customer_supplied_config1 = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "test" + expect {@bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config1}.must_raise Google::Cloud::InvalidArgumentError + end + + it "setting and clearing encryption enforcement config does not affect bucket's default kms key" do + # set default kms key to bucket + @bucket.google_managed_encryption_enforcement_config = google_managed_config + @bucket.reload! + # verify default kms key is set + _(@bucket.default_kms_key).must_equal kms_key + # clear encryption enforcement config + @bucket.customer_supplied_encryption_enforcement_config = nil + @bucket.customer_managed_encryption_enforcement_config = nil + @bucket.google_managed_encryption_enforcement_config = nil + @bucket.reload! + # verify default kms key is still set + _(@bucket.default_kms_key).must_equal kms_key end end end diff --git a/google-cloud-storage/acceptance/storage/bucket_test.rb b/google-cloud-storage/acceptance/storage/bucket_test.rb index c2cb6c9d2b2c..ea99e617db26 100644 --- a/google-cloud-storage/acceptance/storage/bucket_test.rb +++ b/google-cloud-storage/acceptance/storage/bucket_test.rb @@ -385,57 +385,4 @@ _(storage.bucket(hns_bucket_name)).must_be :nil? end - - describe "bucket encryption enforcement config" do - customer_supplied_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" - customer_managed_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted" - google_managed_config = Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted" - - after do - safe_gcs_execute { bucket.delete } - end - it "gets, sets and clears customer supplied encryption enforcement config" do - # set customer supplied encryption enforcement config to bucket - bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config - bucket.reload! - # get customer supplied encryption enforcement config from bucket and verify its values - _(bucket.customer_supplied_encryption_enforcement_config).wont_be_nil - _(bucket.customer_supplied_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" - # clear customer supplied encryption enforcement config from bucket - bucket.customer_supplied_encryption_enforcement_config = nil - bucket.reload! - _(bucket.customer_supplied_encryption_enforcement_config).must_be_nil - end - - it "gets, sets and clears customer managed encryption enforcement config" do - # set customer managed encryption enforcement config to bucket - bucket.customer_managed_encryption_enforcement_config = customer_managed_config - bucket.reload! - # get customer managed encryption enforcement config from bucket and verify its values - _(bucket.customer_managed_encryption_enforcement_config).wont_be_nil - _(bucket.customer_managed_encryption_enforcement_config.restriction_mode).must_equal "NotRestricted" - # clear customer managed encryption enforcement config from bucket - bucket.customer_managed_encryption_enforcement_config = nil - bucket.reload! - _(bucket.customer_managed_encryption_enforcement_config).must_be_nil - end - - it "gets, sets and clears google managed encryption enforcement config" do - # set google managed encryption enforcement config to bucket - bucket.google_managed_encryption_enforcement_config = google_managed_config - bucket.reload! - # get google managed encryption enforcement config from bucket and verify its values - _(bucket.google_managed_encryption_enforcement_config).wont_be_nil - _(bucket.google_managed_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted" - # clear google managed encryption enforcement config from bucket - bucket.google_managed_encryption_enforcement_config = nil - bucket.reload! - _(bucket.google_managed_encryption_enforcement_config).must_be_nil - end - - it "raises error when setting invalid encryption enforcement config" do - customer_supplied_config1 = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "test" - expect {bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config1}.must_raise Google::Cloud::InvalidArgumentError - end - end end From 333aed7ec3bf4706fb88816a3d67066e52fe8744 Mon Sep 17 00:00:00 2001 From: Shubhangi Singh Date: Wed, 25 Feb 2026 12:47:29 +0000 Subject: [PATCH 7/8] update test --- .../test/google/cloud/storage/bucket_encryption_test.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb b/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb index ce617da110e6..0fe2aa97ac4d 100644 --- a/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb +++ b/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb @@ -74,7 +74,7 @@ it "gets and sets its encryption config" do mock = Minitest::Mock.new - patch_bucket_gapi = Google::Apis::StorageV1::Bucket.new encryption: encryption_gapi(kms_key) + patch_bucket_gapi = Google::Apis::StorageV1::Bucket.new encryption: encryption_gapi(key_name: kms_key) mock.expect :patch_bucket, patch_bucket_gapi, [bucket_name, patch_bucket_gapi], **patch_bucket_args(options: {retries: 0}) bucket.service.mocked_service = mock @@ -88,9 +88,9 @@ it "sets its encryption config to nil" do bucket_gapi_with_key = bucket_gapi.dup - bucket_gapi_with_key.encryption = encryption_gapi(kms_key) + bucket_gapi_with_key.encryption = encryption_gapi(key_name: kms_key) bucket_with_key = Google::Cloud::Storage::Bucket.from_gapi bucket_gapi_with_key, storage.service - patch_bucket_gapi = Google::Apis::StorageV1::Bucket.new encryption: encryption_gapi(nil) + patch_bucket_gapi = Google::Apis::StorageV1::Bucket.new encryption: encryption_gapi(key_name: nil) mock = Minitest::Mock.new mock.expect :patch_bucket, bucket_gapi, [bucket_name, patch_bucket_gapi], **patch_bucket_args(options: {retries: 0}) From 1376ef9e536764f0203de6969b5c992d5b1e88b8 Mon Sep 17 00:00:00 2001 From: Shubhangi Singh Date: Thu, 26 Feb 2026 11:03:27 +0000 Subject: [PATCH 8/8] updating test --- .../google/cloud/storage/bucket_encryption_test.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb b/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb index 0fe2aa97ac4d..9e84cd78e4f8 100644 --- a/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb +++ b/google-cloud-storage/test/google/cloud/storage/bucket_encryption_test.rb @@ -20,6 +20,8 @@ let(:bucket_json) { bucket_hash.to_json } let(:bucket_gapi) { Google::Apis::StorageV1::Bucket.from_json bucket_json } let(:bucket) { Google::Cloud::Storage::Bucket.from_gapi bucket_gapi, storage.service } + let(:kms_key) { "path/to/encryption_key_name" } + describe "customer-supplied encryption key (CSEK)" do let(:encryption_key) { "y\x03\"\x0E\xB6\xD3\x9B\x0E\xAB*\x19\xFAv\xDEY\xBEI\xF8ftA|[z\x1A\xFBE\xDE\x97&\xBC\xC7" } @@ -70,8 +72,6 @@ end describe "KMS customer-managed encryption key (CMEK)" do - let(:kms_key) { "path/to/encryption_key_name" } - it "gets and sets its encryption config" do mock = Minitest::Mock.new patch_bucket_gapi = Google::Apis::StorageV1::Bucket.new encryption: encryption_gapi(key_name: kms_key) @@ -90,9 +90,10 @@ bucket_gapi_with_key = bucket_gapi.dup bucket_gapi_with_key.encryption = encryption_gapi(key_name: kms_key) bucket_with_key = Google::Cloud::Storage::Bucket.from_gapi bucket_gapi_with_key, storage.service - patch_bucket_gapi = Google::Apis::StorageV1::Bucket.new encryption: encryption_gapi(key_name: nil) mock = Minitest::Mock.new - mock.expect :patch_bucket, bucket_gapi, [bucket_name, patch_bucket_gapi], **patch_bucket_args(options: {retries: 0}) + mock.expect :patch_bucket, bucket_gapi do |name, patch_obj, **args| + name == bucket_name && patch_obj.encryption&.default_kms_key_name.nil? + end bucket_with_key.service.mocked_service = mock @@ -122,7 +123,6 @@ end end - def create_file_gapi bucket=nil, name = nil Google::Apis::StorageV1::Object.from_json random_file_hash(bucket, name).to_json end