Skip to content

samples(Storage): Add samples and tests for bucket encryption enforcement configuration #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mahendra-google wants to merge 8 commits into
base: main
Choose a base branch
from
Open

samples(Storage): Add samples and tests for bucket encryption enforcement configuration #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c3096a6
samples(Storage): Add samples and tests for bucket encryption enforce…
mahendra-google Feb 6, 2026
138aedd
refactor(Storage): Format console output messages to single line
mahendra-google Mar 4, 2026
97b00ec
refactor(Storage): Addressing PR review comments
mahendra-google Mar 11, 2026
c59443e
chore(Storage): Update names of region tags
mahendra-google Mar 23, 2026
40518ba
chore(Storage): Modify bucket update encryption enforcement sample
mahendra-google Mar 23, 2026
4445cf5
chore(Storage): Modify smaple and test for update encryption config
mahendra-google Mar 23, 2026
b3b17db
chore(Storage): Addressing Review Feedback Comments
mahendra-google Mar 23, 2026
cf77cb7
chore(Storage): Remove one extra blank line
mahendra-google Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions storage/api/Storage.Samples.Tests/BucketGetEncryptionEnforcementConfigTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

using Xunit;

[Collection(nameof(StorageFixture))]
public class BucketGetEncryptionEnforcementConfigTest
{
private readonly StorageFixture _fixture;

public BucketGetEncryptionEnforcementConfigTest(StorageFixture fixture)
{
_fixture = fixture;
}

[Fact]
public void BucketGetEncryptionEnforcementConfig()
{
var bucketSetEncConfigSample = new BucketSetEncryptionEnforcementConfigSample();
var bucketGetEncConfigSample = new BucketGetEncryptionEnforcementConfigSample();
var bucketName = _fixture.GenerateBucketName();
_fixture.CreateBucket(bucketName: bucketName, location: _fixture.KmsKeyLocation);

string keyName = $"projects/{_fixture.ProjectId}/locations/{_fixture.KmsKeyLocation}/keyRings/{_fixture.KmsKeyRing}/cryptoKeys/{_fixture.KmsKeyName}";
bucketSetEncConfigSample.SetBucketEncryptionEnforcementConfig(
bucketName: bucketName,
kmsKeyName: keyName,
enforceCmek: true);
var bucketEncryptionData = bucketGetEncConfigSample.BucketGetEncryptionEnforcementConfig(bucketName);
Assert.NotNull(bucketEncryptionData);
Comment thread
mahendra-google marked this conversation as resolved.
Assert.Equal(keyName, bucketEncryptionData.DefaultKmsKeyName);
Assert.Multiple(() =>
{
Assert.Equal("NotRestricted", bucketEncryptionData.CustomerManagedEncryptionEnforcementConfig?.RestrictionMode);
Assert.Equal("FullyRestricted", bucketEncryptionData.CustomerSuppliedEncryptionEnforcementConfig?.RestrictionMode);
Assert.Equal("FullyRestricted", bucketEncryptionData.GoogleManagedEncryptionEnforcementConfig?.RestrictionMode);
});
}
}
62 changes: 62 additions & 0 deletions storage/api/Storage.Samples.Tests/BucketSetEncryptionEnforcementConfigTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

using Xunit;

[Collection(nameof(StorageFixture))]
public class BucketSetEncryptionEnforcementConfigTest
{
private readonly StorageFixture _fixture;

public BucketSetEncryptionEnforcementConfigTest(StorageFixture fixture)
{
_fixture = fixture;
}

[Theory]
[InlineData(true, false, false)]
[InlineData(false, true, false)]
[InlineData(false, false, true)]
public void BucketSetEncryptionEnforcementConfig(
bool enforceCmek,
bool enforceGmek,
bool enforceCsek)
{
var bucketSetEncConfigSample = new BucketSetEncryptionEnforcementConfigSample();
var bucketName = _fixture.GenerateBucketName();
string keyName = enforceCmek
? $"projects/{_fixture.ProjectId}/locations/{_fixture.KmsKeyLocation}/keyRings/{_fixture.KmsKeyRing}/cryptoKeys/{_fixture.KmsKeyName}"
: null;
_fixture.CreateBucket(bucketName: bucketName, location: _fixture.KmsKeyLocation);
var bucketEncryptionData = bucketSetEncConfigSample.SetBucketEncryptionEnforcementConfig(
bucketName: bucketName,
kmsKeyName: keyName,
enforceCmek: enforceCmek,
enforceGmek: enforceGmek,
enforceCsek: enforceCsek);

string expectedCmek = (enforceGmek || enforceCsek) ? "FullyRestricted" : "NotRestricted";
string expectedGmek = (enforceCmek || enforceCsek) ? "FullyRestricted" : "NotRestricted";
string expectedCsek = (enforceCmek || enforceGmek) ? "FullyRestricted" : "NotRestricted";

Assert.Multiple(() =>
{
Assert.Equal(expectedCmek, bucketEncryptionData.CustomerManagedEncryptionEnforcementConfig?.RestrictionMode);
Assert.Equal(expectedCsek, bucketEncryptionData.CustomerSuppliedEncryptionEnforcementConfig?.RestrictionMode);
Assert.Equal(expectedGmek, bucketEncryptionData.GoogleManagedEncryptionEnforcementConfig?.RestrictionMode);

if (enforceCmek) Assert.Equal(keyName, bucketEncryptionData.DefaultKmsKeyName);
});
}
}
66 changes: 66 additions & 0 deletions storage/api/Storage.Samples.Tests/BucketUpdateEncryptionEnforcementConfigTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

using Google.Apis.Storage.v1.Data;
using Xunit;

[Collection(nameof(StorageFixture))]
public class BucketUpdateEncryptionEnforcementConfigTest
{
private readonly StorageFixture _fixture;

public BucketUpdateEncryptionEnforcementConfigTest(StorageFixture fixture)
{
_fixture = fixture;
}

[Theory]
[InlineData("FullyRestricted")]
[InlineData(null)]
public void BucketUpdateEncryptionEnforcementConfig(string restrictionMode)
{
var bucketSetEncConfigSample = new BucketSetEncryptionEnforcementConfigSample();
var bucketUpdateEncConfigSample = new BucketUpdateEncryptionEnforcementConfigSample();
var bucketName = _fixture.GenerateBucketName();
_fixture.CreateBucket(bucketName: bucketName, location: _fixture.KmsKeyLocation);
string keyName = $"projects/{_fixture.ProjectId}/locations/{_fixture.KmsKeyLocation}/keyRings/{_fixture.KmsKeyRing}/cryptoKeys/{_fixture.KmsKeyName}";

bucketSetEncConfigSample.SetBucketEncryptionEnforcementConfig(
bucketName: bucketName,
kmsKeyName: keyName,
enforceCmek: true);

var encryptionData = new Bucket.EncryptionData
{
DefaultKmsKeyName = keyName,
GoogleManagedEncryptionEnforcementConfig = restrictionMode != null
? new Bucket.EncryptionData.GoogleManagedEncryptionEnforcementConfigData
{ RestrictionMode = restrictionMode }
: null
};

var bucketEncryptionData = bucketUpdateEncConfigSample.BucketUpdateEncryptionEnforcementConfig(bucketName, encryptionData);
Assert.Equal(keyName, bucketEncryptionData.DefaultKmsKeyName);

if (restrictionMode != null)
{
Assert.NotNull(encryptionData.GoogleManagedEncryptionEnforcementConfig);
Assert.Equal(restrictionMode, encryptionData.GoogleManagedEncryptionEnforcementConfig.RestrictionMode);
}
else
{
Assert.Null(encryptionData.GoogleManagedEncryptionEnforcementConfig);
}
}
}
57 changes: 57 additions & 0 deletions storage/api/Storage.Samples/BucketGetEncryptionEnforcementConfig.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// [START storage_get_bucket_encryption_enforcement_config]

using Google.Apis.Storage.v1.Data;
using Google.Cloud.Storage.V1;
using System;

public class BucketGetEncryptionEnforcementConfigSample
{
/// <summary>
/// Get the encryption enforcement configuration for the bucket.
/// </summary>
/// <param name="bucketName">The name of the bucket.</param>
public Bucket.EncryptionData BucketGetEncryptionEnforcementConfig(string bucketName = "your-unique-bucket-name")
{
var storage = StorageClient.Create();
var bucket = storage.GetBucket(bucketName);
Console.WriteLine($"Encryption Enforcement Configuration for bucket {bucketName} is as follows:");

if (bucket.Encryption == null)
{
Console.WriteLine("No Encryption Enforcement Configuration is found");
return bucket.Encryption;
}

var gmConfig = bucket.Encryption.GoogleManagedEncryptionEnforcementConfig;
if (gmConfig != null)
{
Console.WriteLine($"Google Managed (GMEK) Enforcement Restriction Mode: {gmConfig.RestrictionMode}, Effective Time: {gmConfig.EffectiveTimeRaw}");
}
var cmConfig = bucket.Encryption.CustomerManagedEncryptionEnforcementConfig;
if (cmConfig != null)
{
Console.WriteLine($"Customer Managed (CMEK) Enforcement Restriction Mode: {cmConfig.RestrictionMode}, Effective Time: {cmConfig.EffectiveTimeRaw}");
}
var csConfig = bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig;
if (csConfig != null)
{
Console.WriteLine($"Customer Supplied (CSEK) Enforcement Restriction Mode: {csConfig.RestrictionMode}, Effective Time: {csConfig.EffectiveTimeRaw}");
}
return bucket.Encryption;
}
}
// [END storage_get_bucket_encryption_enforcement_config]
82 changes: 82 additions & 0 deletions storage/api/Storage.Samples/BucketSetEncryptionEnforcementConfig.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// [START storage_set_bucket_encryption_enforcement_config]

using Google.Apis.Storage.v1.Data;
using Google.Cloud.Storage.V1;
using System;

public class BucketSetEncryptionEnforcementConfigSample
{
/// <summary>
/// Set the encryption enforcement configuration for a bucket.
/// </summary>
/// <param name="bucketName">The name of the bucket.</param>
/// <param name="kmsKeyName">
/// The full resource name of the Cloud KMS key (CMEK).
/// Required if <paramref name="enforceCmek"/> is true.
/// </param>
/// <param name="enforceCmek">If true, enforces Customer-Managed Encryption Key.</param>
/// <param name="enforceGmek">If true, enforces Google-Managed Encryption Key.</param>
/// <param name="enforceCsek">If true, enforces Customer-Supplied Encryption Key.</param>
public Bucket.EncryptionData SetBucketEncryptionEnforcementConfig(
string bucketName = "your-unique-bucket-name",
string kmsKeyName = null,
bool enforceCmek = false,
bool enforceGmek = false,
bool enforceCsek = false)
{
var storage = StorageClient.Create();
Comment thread
mahendra-google marked this conversation as resolved.
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

It's good practice to validate input arguments at the beginning of a method. This method should check for two invalid states:

  1. enforceCmek and enforceGmek being simultaneously true, as they are mutually exclusive policies.
  2. enforceCmek being true without a kmsKeyName, which is required in that case.

Adding these checks makes the sample more robust and easier to use correctly.

if (enforceCmek && enforceGmek)
{
    throw new ArgumentException("Cannot enforce both Customer-Managed and Google-Managed keys simultaneously.");
}
if (enforceCmek && string.IsNullOrEmpty(kmsKeyName))
{
    throw new ArgumentException("A KMS key name must be provided to enforce Customer-Managed keys.", nameof(kmsKeyName));
}
var storage = StorageClient.Create();

Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The method summary correctly states that kmsKeyName is required when enforceCmek is true. It would be good practice to validate this condition at the beginning of the method to provide a clear error message to the user, rather than letting the underlying API call fail.

        if (enforceCmek && string.IsNullOrEmpty(kmsKeyName))
        {
            throw new ArgumentException("kmsKeyName must be provided when enforceCmek is true.", nameof(kmsKeyName));
        }

        var storage = StorageClient.Create();

var bucket = storage.GetBucket(bucketName);

if (bucket.Encryption == null)
{
bucket.Encryption = new Bucket.EncryptionData();
}

if (!string.IsNullOrEmpty(kmsKeyName))
{
bucket.Encryption.DefaultKmsKeyName = kmsKeyName;
Console.WriteLine($"Default Key Set: {kmsKeyName}");
}
else
{
bucket.Encryption.DefaultKmsKeyName = null;
Console.WriteLine("Default Key Set: None");
}

string cmek = (enforceGmek || enforceCsek) ? "FullyRestricted" : "NotRestricted";
string gmek = (enforceCmek || enforceCsek) ? "FullyRestricted" : "NotRestricted";
string csek = (enforceCmek || enforceGmek) ? "FullyRestricted" : "NotRestricted";

string message = enforceCmek ? "CMEK-only enforcement policy"
: enforceGmek ? "GMEK-only enforcement policy"
: enforceCsek ? "CSEK-only enforcement policy"
: "no encryption enforcement policy";

bucket.Encryption.CustomerManagedEncryptionEnforcementConfig = new Bucket.EncryptionData.CustomerManagedEncryptionEnforcementConfigData { RestrictionMode = cmek };
bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig = new Bucket.EncryptionData.CustomerSuppliedEncryptionEnforcementConfigData { RestrictionMode = csek };
bucket.Encryption.GoogleManagedEncryptionEnforcementConfig = new Bucket.EncryptionData.GoogleManagedEncryptionEnforcementConfigData { RestrictionMode = gmek };

if (message != null)
{
Console.WriteLine($"Bucket {bucketName} updated with {message}");
}
Comment on lines +73 to +76
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The current logic only updates the encryption enforcement configuration if one of the boolean flags (enforceCmek, enforceGmek, restrictCsek) is true. If all are false, the if (message != null) condition is false, and no changes are applied to the bucket's encryption enforcement properties. This is a bug, as it prevents a user from removing a previously set enforcement policy by calling this method with all flags set to false (the expectation would be to reset the policy to NotRestricted for all encryption types).

The fix is to always update the bucket's encryption properties and only make the console message conditional on whether a specific policy was set.

bucket.Encryption.CustomerManagedEncryptionEnforcementConfig = new Bucket.EncryptionData.CustomerManagedEncryptionEnforcementConfigData { RestrictionMode = cmek };
bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig = new Bucket.EncryptionData.CustomerSuppliedEncryptionEnforcementConfigData { RestrictionMode = csek };
bucket.Encryption.GoogleManagedEncryptionEnforcementConfig = new Bucket.EncryptionData.GoogleManagedEncryptionEnforcementConfigData { RestrictionMode = gmek };

if (message != null)
{
    Console.WriteLine($"Bucket {bucketName} updated with {message}");
}


var updatedBucket = storage.UpdateBucket(bucket);
return updatedBucket.Encryption;
}
}
// [END storage_set_bucket_encryption_enforcement_config]
48 changes: 48 additions & 0 deletions storage/api/Storage.Samples/BucketUpdateEncryptionEnforcementConfig.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// [START storage_update_bucket_encryption_enforcement_config]

using Google.Apis.Storage.v1.Data;
using Google.Cloud.Storage.V1;
using System;

public class BucketUpdateEncryptionEnforcementConfigSample
{
/// <summary>
/// Updates the encryption enforcement configuration of the bucket.
/// </summary>
/// <param name="bucketName">The name of the bucket.</param>
/// <param name="encryptionData">The encryption configuration for the bucket.</param>
public Bucket.EncryptionData BucketUpdateEncryptionEnforcementConfig(string bucketName = "your-unique-bucket-name", Bucket.EncryptionData encryptionData = null)
{
var storage = StorageClient.Create();
var bucket = storage.GetBucket(bucketName);

if (bucket.Encryption is null
|| (bucket.Encryption.CustomerManagedEncryptionEnforcementConfig is null
&& bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig is null
&& bucket.Encryption.GoogleManagedEncryptionEnforcementConfig is null))
{
Console.WriteLine($"No Encryption Enforcement Configuration found for bucket {bucketName}");
return bucket.Encryption;
}

bucket.Encryption = encryptionData;
bucket = storage.UpdateBucket(bucket);
Console.WriteLine($"The Encryption Enforcement Configuration has been updated for the bucket {bucketName}");
return bucket.Encryption;
}
}
// [END storage_update_bucket_encryption_enforcement_config]