Skip to content
This repository was archived by the owner on Mar 3, 2026. It is now read-only.

Feat: add bucket encryption enforcement configuration#2718

Closed
thiyaguk09 wants to merge 6 commits intomainfrom
feat/bucket-encryption-config
Closed

Feat: add bucket encryption enforcement configuration#2718
thiyaguk09 wants to merge 6 commits intomainfrom
feat/bucket-encryption-config

Conversation

@thiyaguk09
Copy link
Copy Markdown
Contributor

@thiyaguk09 thiyaguk09 commented Feb 5, 2026

Description

This PR implements support for Bucket Encryption Enforcement in the BucketMetadata interface. This feature allows users to restrict object creation based on specific encryption types (Google-managed, Customer-managed, or Customer-supplied).

Key Changes:

  • Added googleManagedEncryptionEnforcementConfig, customerManagedEncryptionEnforcementConfig, and customerSuppliedEncryptionEnforcementConfig to the BucketMetadata interface.
  • Included the server-generated effectiveTime (readonly) and restrictionMode fields for each configuration type.
  • Added three new code samples: setBucketEncryptionEnforcementConfig, getBucketEncryptionEnforcementConfig, and removeAllBucketEncryptionEnforcementConfig.

Impact

This is a non-breaking feature addition. It enables security-conscious users to enforce CMEK-only (Customer-Managed Encryption Keys) policies at the bucket level, aligning the Node.js library with the latest GCS API capabilities.

Testing

  • Unit Tests: Added coverage in test/bucket.ts to verify that metadata is correctly serialized into PATCH requests. All tests follow the recommended pattern of mocking the underlying request layer.
  • System Tests: Added new test cases in system-test/storage.ts that execute the sample scripts against a live GCS project to verify end-to-end functionality and backend state persistence.
  • Samples: Verified that all three new samples run successfully and produce human-readable output.

Additional Information

Note that effectiveTime is treated as a read-only field populated by the server, which is verified in the system tests.

Checklist

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease
  • Appropriate docs were updated
  • Appropriate comments were added, particularly in complex areas or places that require background
  • No new warnings or issues will be generated from this change

Fixes #🦕

@thiyaguk09
feat: add encryption enforcement configuration to bucket metadata
b73b084 
Implement support for GoogleManaged, CustomerManaged, and
CustomerSupplied encryption enforcement configurations in
BucketMetadata.
This allows buckets to restrict object creation based on encryption
types.

- Update BucketMetadata interface with new enforcement config fields
- Add unit tests for metadata parsing, patching, and serialization
- Include JSDoc examples for configuring CMEK-only enforcement
@thiyaguk09
add sample & tests
f2af573
@thiyaguk09
test: add samples and system tests for bucket encryption enforcement
64799ff 
Adds comprehensive code samples and system tests to verify
Google-managed,
Customer-managed, and Customer-supplied encryption enforcement logic.

- Add setBucketEncryptionEnforcementConfig.js sample
- Add getBucketEncryptionEnforcementConfig.js sample
- Add removeAllBucketEncryptionEnforcementConfig.js sample
- Add system tests to verify CLI output and backend metadata state
- Ensure server-side effectiveTime is correctly captured and displayed
@thiyaguk09
fix: typo
1a72da1
@product-auto-label product-auto-label bot added size: l Pull request size is large. api: storage Issues related to the googleapis/nodejs-storage API. labels Feb 5, 2026
@thiyaguk09 thiyaguk09 marked this pull request as ready for review February 5, 2026 10:58
@thiyaguk09 thiyaguk09 requested review from a team February 5, 2026 10:58
@snippet-bot
Copy link
Copy Markdown

snippet-bot bot commented Feb 5, 2026
edited
Loading

Here is the summary of changes.

You are about to add 3 region tags.

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

  • Refresh this comment

v-pratap
v-pratap reviewed Feb 23, 2026
View reviewed changes
@thiyaguk09
feat: support encryption enforcement configurations
b9ec631 
Adds integration to verify that encryption enforcement
configurations are correctly handled during bucket metadata updates.
Confirms that `defaultKmsKeyName` is retained during partial updates
via server-side strategic merge.
@thiyaguk09 thiyaguk09 requested a review from a team as a code owner February 25, 2026 06:24
@thiyaguk09 thiyaguk09 requested a review from v-pratap February 25, 2026 06:43
@sofisl sofisl closed this Mar 3, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@v-pratap v-pratap Awaiting requested review from v-pratap

Assignees

No one assigned

Labels

api: storage Issues related to the googleapis/nodejs-storage API. size: l Pull request size is large.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thiyaguk09 @v-pratap @sofisl