Feat(storage): add bucket encryption enforcement

[thiyaguk09]

Adds metadata support for the following encryption enforcement fields:

• googleManagedEncryptionEnforcementConfig
• customerManagedEncryptionEnforcementConfig
• customerSuppliedEncryptionEnforcementConfig

[snippet-bot]

Here is the summary of changes.

You are about to add 3 region tags.

• storage/src/get_bucket_encryption_enforcement_config.php:26, tag storage_get_encryption_enforcement_config
• storage/src/remove_all_bucket_encryption_enforcement_config.php:26, tag storage_remove_all_encryption_enforcement_config
• storage/src/set_bucket_encryption_enforcement_config.php:26, tag storage_set_encryption_enforcement_config

---

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

• Refresh this comment

[gemini-code-assist]

Summary of Changes

Hello @thiyaguk09, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces robust capabilities for managing encryption enforcement on Google Cloud Storage buckets. It provides developers with tools to programmatically retrieve existing encryption policies, apply new enforcement rules (such as mandating Customer Managed Encryption Keys), and remove previously configured policies. This enhancement improves data security and compliance by offering granular control over how data is encrypted at rest within buckets.

Highlights

• Retrieve Encryption Enforcement: Added a new function to fetch the current encryption enforcement settings for a Google Cloud Storage bucket, detailing configurations for GMEK, CMEK, and CSEK.
• Set Encryption Enforcement: Implemented a function to configure a bucket's encryption enforcement, allowing for policies like enforcing CMEK-only encryption.
• Remove Encryption Enforcement: Provided a function to clear all encryption enforcement configurations from a bucket, reverting to default behavior.
• Comprehensive Testing: Included new unit tests to ensure the correct functionality of setting, retrieving, and removing bucket encryption enforcement policies.

Changelog

• storage/src/get_bucket_encryption_enforcement_config.php
  • Added a new PHP script to retrieve encryption enforcement configurations for a bucket.
• storage/src/remove_all_bucket_encryption_enforcement_config.php
  • Added a new PHP script to remove all encryption enforcement configurations from a bucket.
• storage/src/set_bucket_encryption_enforcement_config.php
  • Added a new PHP script to set specific encryption enforcement configurations for a bucket.
• storage/test/storageTest.php
  • Updated the test suite to include new tests for setting, getting, and removing bucket encryption enforcement configurations.

Activity

• The author, thiyaguk09, initiated this pull request to add metadata support for googleManagedEncryptionEnforcementConfig, customerManagedEncryptionEnforcementConfig, and customerSuppliedEncryptionEnforcementConfig.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds functionality and corresponding samples for managing bucket encryption enforcement configurations. The changes include new scripts for setting, getting, and removing these configurations, along with integration tests. The implementation of the core functionality is clear and correct. My review focuses on improving the new tests for better robustness and maintainability. I've suggested making test assertions more specific and refactoring duplicated code in the test suite.

[gemini-code-assist]

The variable $kmsEncryptedBucketName is redefined with the same value in testSetBucketEncryptionEnforcementConfig, testGetBucketEncryptionEnforcementConfig, and testRemoveAllBucketEncryptionEnforcementConfig. To avoid repetition and improve maintainability, consider defining it as a private static property of the class and initializing it in setUpBeforeClass.

[gemini-code-assist]

This test is missing a check for the 'Customer Supplied (CSEK) Enforcement' configuration, which is set in set_bucket_encryption_enforcement_config. Please add an assertion for it.

Additionally, the current assertions using assertStringContainsString are not specific enough to verify that the correct mode is associated with the correct enforcement type. For more robust testing, you could consider using assertMatchesRegularExpression to verify that the mode is correctly associated with its enforcement policy.

        $this->assertStringContainsString('Google Managed (GMEK) Enforcement:', $output);
        $this->assertStringContainsString('Mode: FullyRestricted', $output);
        $this->assertStringContainsString('Customer Managed (CMEK) Enforcement:', $output);
        $this->assertStringContainsString('Mode: NotRestricted', $output);
        $this->assertStringContainsString('Customer Supplied (CSEK) Enforcement:', $output);