Skip to content

Feat(storage): add bucket encryption enforcement#2190

Draft
thiyaguk09 wants to merge 2 commits intoGoogleCloudPlatform:mainfrom
thiyaguk09:feat/bucket-encryption-config
Draft

Feat(storage): add bucket encryption enforcement#2190
thiyaguk09 wants to merge 2 commits intoGoogleCloudPlatform:mainfrom
thiyaguk09:feat/bucket-encryption-config

Conversation

@thiyaguk09
Copy link
Contributor

Adds metadata support for the following encryption enforcement fields:

  • googleManagedEncryptionEnforcementConfig
  • customerManagedEncryptionEnforcementConfig
  • customerSuppliedEncryptionEnforcementConfig

Adds metadata support for the following encryption enforcement fields:
- googleManagedEncryptionEnforcementConfig
- customerManagedEncryptionEnforcementConfig
- customerSuppliedEncryptionEnforcementConfig
@thiyaguk09 thiyaguk09 requested review from a team as code owners February 26, 2026 14:10
@snippet-bot
Copy link

snippet-bot bot commented Feb 26, 2026

Here is the summary of changes.

You are about to add 3 region tags.

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

  • Refresh this comment

@product-auto-label product-auto-label bot added api: storage Issues related to the Cloud Storage API. samples Issues that are directly related to samples. labels Feb 26, 2026
@thiyaguk09 thiyaguk09 marked this pull request as draft February 26, 2026 14:10
@gemini-code-assist
Copy link

Summary of Changes

Hello @thiyaguk09, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces robust capabilities for managing encryption enforcement on Google Cloud Storage buckets. It provides developers with tools to programmatically retrieve existing encryption policies, apply new enforcement rules (such as mandating Customer Managed Encryption Keys), and remove previously configured policies. This enhancement improves data security and compliance by offering granular control over how data is encrypted at rest within buckets.

Highlights

  • Retrieve Encryption Enforcement: Added a new function to fetch the current encryption enforcement settings for a Google Cloud Storage bucket, detailing configurations for GMEK, CMEK, and CSEK.
  • Set Encryption Enforcement: Implemented a function to configure a bucket's encryption enforcement, allowing for policies like enforcing CMEK-only encryption.
  • Remove Encryption Enforcement: Provided a function to clear all encryption enforcement configurations from a bucket, reverting to default behavior.
  • Comprehensive Testing: Included new unit tests to ensure the correct functionality of setting, retrieving, and removing bucket encryption enforcement policies.
Changelog
  • storage/src/get_bucket_encryption_enforcement_config.php
    • Added a new PHP script to retrieve encryption enforcement configurations for a bucket.
  • storage/src/remove_all_bucket_encryption_enforcement_config.php
    • Added a new PHP script to remove all encryption enforcement configurations from a bucket.
  • storage/src/set_bucket_encryption_enforcement_config.php
    • Added a new PHP script to set specific encryption enforcement configurations for a bucket.
  • storage/test/storageTest.php
    • Updated the test suite to include new tests for setting, getting, and removing bucket encryption enforcement configurations.
Activity
  • The author, thiyaguk09, initiated this pull request to add metadata support for googleManagedEncryptionEnforcementConfig, customerManagedEncryptionEnforcementConfig, and customerSuppliedEncryptionEnforcementConfig.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds functionality and corresponding samples for managing bucket encryption enforcement configurations. The changes include new scripts for setting, getting, and removing these configurations, along with integration tests. The implementation of the core functionality is clear and correct. My review focuses on improving the new tests for better robustness and maintainability. I've suggested making test assertions more specific and refactoring duplicated code in the test suite.

/** @depends testEnableDefaultKmsKey */
public function testSetBucketEncryptionEnforcementConfig()
{
$kmsEncryptedBucketName = self::$bucketName . '-kms-encrypted';

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The variable $kmsEncryptedBucketName is redefined with the same value in testSetBucketEncryptionEnforcementConfig, testGetBucketEncryptionEnforcementConfig, and testRemoveAllBucketEncryptionEnforcementConfig. To avoid repetition and improve maintainability, consider defining it as a private static property of the class and initializing it in setUpBeforeClass.

Comment on lines +607 to +610
$this->assertStringContainsString('Google Managed (GMEK) Enforcement:', $output);
$this->assertStringContainsString('Mode: FullyRestricted', $output);
$this->assertStringContainsString('Customer Managed (CMEK) Enforcement:', $output);
$this->assertStringContainsString('Mode: NotRestricted', $output);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This test is missing a check for the 'Customer Supplied (CSEK) Enforcement' configuration, which is set in set_bucket_encryption_enforcement_config. Please add an assertion for it.

Additionally, the current assertions using assertStringContainsString are not specific enough to verify that the correct mode is associated with the correct enforcement type. For more robust testing, you could consider using assertMatchesRegularExpression to verify that the mode is correctly associated with its enforcement policy.

        $this->assertStringContainsString('Google Managed (GMEK) Enforcement:', $output);
        $this->assertStringContainsString('Mode: FullyRestricted', $output);
        $this->assertStringContainsString('Customer Managed (CMEK) Enforcement:', $output);
        $this->assertStringContainsString('Mode: NotRestricted', $output);
        $this->assertStringContainsString('Customer Supplied (CSEK) Enforcement:', $output);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api: storage Issues related to the Cloud Storage API. samples Issues that are directly related to samples.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant