samples(Storage): Add samples and tests for bucket encryption enforcement configuration (b/465329369)

Author: mahendra-google

storage/api/Storage.Samples.Tests/BucketGetEncryptionEnforcementConfigTest.cs

@@ -0,0 +1,50 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Xunit;
+
+[Collection(nameof(StorageFixture))]
+public class BucketGetEncryptionEnforcementConfigTest
+{
+    private readonly StorageFixture _fixture;
+
+    public BucketGetEncryptionEnforcementConfigTest(StorageFixture fixture)
+    {
+        _fixture = fixture;
+    }
+
+    [Fact]
+    public void BucketGetEncryptionEnforcementConfig()
+    {
+        var bucketSetEncConfigSample = new BucketSetEncryptionEnforcementConfigSample();
+        var bucketGetEncConfigSample = new BucketGetEncryptionEnforcementConfigSample();
+        var bucketName = _fixture.GenerateBucketName();
+        _fixture.CreateBucket(bucketName: bucketName, location: _fixture.KmsKeyLocation);
+
+        string keyName = $"projects/{_fixture.ProjectId}/locations/{_fixture.KmsKeyLocation}/keyRings/{_fixture.KmsKeyRing}/cryptoKeys/{_fixture.KmsKeyName}";
+        var bucket = bucketSetEncConfigSample.SetBucketEncryptionEnforcementConfig(
+            bucketName: bucketName,
+            kmsKeyName: keyName,
+            enforceCmek: true);
+        var bucketEncryptionData = bucketGetEncConfigSample.BucketGetEncryptionEnforcementConfig(bucket.Name);
+        Assert.NotNull(bucketEncryptionData);
+        Assert.Equal(keyName, bucketEncryptionData.DefaultKmsKeyName);
+        Assert.Multiple(() =>
+        {
+            Assert.Equal("NotRestricted", bucketEncryptionData.CustomerManagedEncryptionEnforcementConfig?.RestrictionMode);
+            Assert.Equal("FullyRestricted", bucketEncryptionData.CustomerSuppliedEncryptionEnforcementConfig?.RestrictionMode);
+            Assert.Equal("FullyRestricted", bucketEncryptionData.GoogleManagedEncryptionEnforcementConfig?.RestrictionMode);
+        });
+    }
+}

storage/api/Storage.Samples.Tests/BucketRemoveAllEncryptionEnforcementConfigTest.cs

@@ -0,0 +1,48 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Xunit;
+
+[Collection(nameof(StorageFixture))]
+public class BucketRemoveAllEncryptionEnforcementConfigTest
+{
+    private readonly StorageFixture _fixture;
+
+    public BucketRemoveAllEncryptionEnforcementConfigTest(StorageFixture fixture)
+    {
+        _fixture = fixture;
+    }
+
+    [Fact]
+    public void BucketRemoveAllEncryptionEnforcementConfig()
+    {
+        var bucketSetEncConfigSample = new BucketSetEncryptionEnforcementConfigSample();
+        var bucketRemoveEncConfigSample = new BucketRemoveAllEncryptionEnforcementConfigSample();
+        var bucketName = _fixture.GenerateBucketName();
+        _fixture.CreateBucket(bucketName: bucketName, location: _fixture.KmsKeyLocation);
+        string keyName = $"projects/{_fixture.ProjectId}/locations/{_fixture.KmsKeyLocation}/keyRings/{_fixture.KmsKeyRing}/cryptoKeys/{_fixture.KmsKeyName}";
+        var bucket = bucketSetEncConfigSample.SetBucketEncryptionEnforcementConfig(
+            bucketName: bucketName,
+            kmsKeyName: keyName,
+            enforceCmek: true);
+        var updatedBucket = bucketRemoveEncConfigSample.BucketRemoveAllEncryptionEnforcementConfig(bucket.Name);
+        Assert.Equal(updatedBucket.Encryption.DefaultKmsKeyName, bucket.Encryption.DefaultKmsKeyName);
+        Assert.Multiple(() =>
+        {
+            Assert.Null(updatedBucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig);
+            Assert.Null(updatedBucket.Encryption.CustomerManagedEncryptionEnforcementConfig);
+            Assert.Null(updatedBucket.Encryption.GoogleManagedEncryptionEnforcementConfig);
+        });
+    }
+}

storage/api/Storage.Samples.Tests/BucketSetEncryptionEnforcementConfigTest.cs

@@ -0,0 +1,62 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Xunit;
+
+[Collection(nameof(StorageFixture))]
+public class BucketSetEncryptionEnforcementConfigTest
+{
+    private readonly StorageFixture _fixture;
+
+    public BucketSetEncryptionEnforcementConfigTest(StorageFixture fixture)
+    {
+        _fixture = fixture;
+    }
+
+    [Theory]
+    [InlineData(true, false, false)]
+    [InlineData(false, true, false)]
+    [InlineData(false, false, true)]
+    public void BucketSetEncryptionEnforcementConfig(
+        bool enforceCmek,
+        bool enforceGmek,
+        bool restrictCsek)
+    {
+        var bucketSetEncConfigSample = new BucketSetEncryptionEnforcementConfigSample();
+        var bucketName = _fixture.GenerateBucketName();
+        string keyName = enforceCmek
+            ? $"projects/{_fixture.ProjectId}/locations/{_fixture.KmsKeyLocation}/keyRings/{_fixture.KmsKeyRing}/cryptoKeys/{_fixture.KmsKeyName}"
+            : null;
+        _fixture.CreateBucket(bucketName: bucketName, location: _fixture.KmsKeyLocation);
+        var bucket = bucketSetEncConfigSample.SetBucketEncryptionEnforcementConfig(
+            bucketName: bucketName,
+            kmsKeyName: keyName,
+            enforceCmek: enforceCmek,
+            enforceGmek: enforceGmek,
+            restrictCsek: restrictCsek);
+
+        string expectedCmek = enforceGmek ? "FullyRestricted" : "NotRestricted";
+        string expectedGmek = enforceCmek ? "FullyRestricted" : "NotRestricted";
+        string expectedCsek = (enforceCmek || enforceGmek || restrictCsek) ? "FullyRestricted" : "NotRestricted";
+
+        Assert.Multiple(() =>
+        {
+            Assert.Equal(expectedCmek, bucket.Encryption.CustomerManagedEncryptionEnforcementConfig?.RestrictionMode);
+            Assert.Equal(expectedCsek, bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig?.RestrictionMode);
+            Assert.Equal(expectedGmek, bucket.Encryption.GoogleManagedEncryptionEnforcementConfig?.RestrictionMode);
+
+            if (enforceCmek) Assert.Equal(keyName, bucket.Encryption.DefaultKmsKeyName);
+        });
+    }
+}

storage/api/Storage.Samples/BucketGetEncryptionEnforcementConfig.cs

@@ -0,0 +1,60 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// [START storage_get_encryption_enforcement_config]
+
+using Google.Apis.Storage.v1.Data;
+using Google.Cloud.Storage.V1;
+using System;
+
+public class BucketGetEncryptionEnforcementConfigSample
+{
+    /// <summary>
+    /// Get the encryption enforcement configuration for the bucket.
+    /// </summary>
+    /// <param name="bucketName">The name of the bucket.</param>
+    public Bucket.EncryptionData BucketGetEncryptionEnforcementConfig(string bucketName = "your-unique-bucket-name")
+    {
+        var storage = StorageClient.Create();
+        var bucket = storage.GetBucket(bucketName);
+        Console.WriteLine($"Encryption Enforcement Configuration for bucket {bucketName} is as follows:");
+
+        if (bucket.Encryption == null)
+        {
+            Console.WriteLine("No Encryption Configuration is found (Default GMEK is active)");
+            return bucket.Encryption;
+        }
+
+        var gmConfig = bucket.Encryption.GoogleManagedEncryptionEnforcementConfig;
+        if (gmConfig != null)
+        {
+            Console.WriteLine($"Google Managed (GMEK) Enforcement Restriction Mode: {gmConfig.RestrictionMode}");
+            Console.WriteLine($"Google Managed (GMEK) Enforcement Effective Time: {gmConfig.EffectiveTimeRaw}");
+        }
+        var cmConfig = bucket.Encryption.CustomerManagedEncryptionEnforcementConfig;
+        if (cmConfig != null)
+        {
+            Console.WriteLine($"Customer Managed (CMEK) Enforcement Restriction Mode: {cmConfig.RestrictionMode}");
+            Console.WriteLine($"Customer Managed (CMEK) Enforcement Effective Time: {cmConfig.EffectiveTimeRaw}");
+        }
+        var csConfig = bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig;
+        if (csConfig != null)
+        {
+            Console.WriteLine($"Customer Supplied (CSEK) Enforcement Restriction Mode: {csConfig.RestrictionMode}");
+            Console.WriteLine($"Customer Supplied (CSEK) Enforcement Effective Time: {csConfig.EffectiveTimeRaw}");
+        }
+        return bucket.Encryption;
+    }
+}
+// [END storage_get_encryption_enforcement_config]

storage/api/Storage.Samples/BucketRemoveAllEncryptionEnforcementConfig.cs

@@ -0,0 +1,51 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// [START storage_remove_all_encryption_enforcement_config]
+
+using Google.Apis.Storage.v1.Data;
+using Google.Cloud.Storage.V1;
+using System;
+
+public class BucketRemoveAllEncryptionEnforcementConfigSample
+{
+    /// <summary>
+    /// Remove all encryption enforcement configurations from the bucket.
+    /// </summary>
+    /// <param name="bucketName">The name of the bucket.</param>
+    public Bucket BucketRemoveAllEncryptionEnforcementConfig(string bucketName = "your-unique-bucket-name")
+    {
+        var storage = StorageClient.Create();
+        var bucket = storage.GetBucket(bucketName);
+
+        if (bucket.Encryption is null
+            || (bucket.Encryption.CustomerManagedEncryptionEnforcementConfig is null
+                && bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig is null
+                && bucket.Encryption.GoogleManagedEncryptionEnforcementConfig is null))
+        {
+            Console.WriteLine($"No Encryption Enforcement Configuration found for bucket {bucketName}");
+            return bucket;
+        }
+
+        bucket.Encryption = new Bucket.EncryptionData
+        {
+            DefaultKmsKeyName = bucket.Encryption.DefaultKmsKeyName
+        };
+
+        bucket = storage.UpdateBucket(bucket);
+        Console.WriteLine($"The Encryption Enforcement Configuration has been removed from the bucket {bucketName}");
+        return bucket;
+    }
+}
+// [END storage_remove_all_encryption_enforcement_config]

storage/api/Storage.Samples/BucketSetEncryptionEnforcementConfig.cs

@@ -0,0 +1,92 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// [START storage_set_encryption_enforcement_config]
+
+using Google.Apis.Storage.v1.Data;
+using Google.Cloud.Storage.V1;
+using System;
+
+public class BucketSetEncryptionEnforcementConfigSample
+{
+    /// <summary>
+    /// Set the encryption enforcement configuration for a bucket.
+    /// </summary>
+    /// <param name="bucketName">The name of the bucket.</param>
+    /// <param name="kmsKeyName">
+    /// The full resource name of the Cloud KMS key (CMEK). 
+    /// Required if <paramref name="enforceCmek"/> is true.
+    /// </param>
+    /// <param name="enforceCmek">If true, enforces Customer-Managed Encryption Key.</param>
+    /// <param name="enforceGmek">If true, enforces Google-Managed Encryption Key.</param>
+    /// <param name="restrictCsek">If true, restricts Customer-Supplied Encryption Key.</param>
+    public Bucket SetBucketEncryptionEnforcementConfig(
+        string bucketName = "your-unique-bucket-name",
+        string kmsKeyName = null,
+        bool enforceCmek = false,
+        bool enforceGmek = false,
+        bool restrictCsek = false)
+    {
+        var storage = StorageClient.Create();
+        var bucket = storage.GetBucket(bucketName);
+
+        if (bucket.Encryption == null)
+        {
+            bucket.Encryption = new Bucket.EncryptionData();
+        }
+
+        if (!string.IsNullOrEmpty(kmsKeyName))
+        {
+            bucket.Encryption.DefaultKmsKeyName = kmsKeyName;
+            Console.WriteLine($"Default Key Set: {kmsKeyName}");
+        }
+        else
+        {
+            bucket.Encryption.DefaultKmsKeyName = null;
+            Console.WriteLine("Default Key Set: None");
+        }
+
+        string cmek = "NotRestricted", csek = "NotRestricted", gmek = "NotRestricted";
+        string message = null;
+
+        if (enforceCmek)
+        {
+            csek = gmek = "FullyRestricted";
+            message = "CMEK-only enforcement policy";
+        }
+        else if (enforceGmek)
+        {
+            cmek = csek = "FullyRestricted";
+            message = "GMEK-only enforcement policy";
+        }
+        else if (restrictCsek)
+        {
+            csek = "FullyRestricted";
+            message = "policy to restrict CSEK";
+        }
+
+        bucket.Encryption.CustomerManagedEncryptionEnforcementConfig = new Bucket.EncryptionData.CustomerManagedEncryptionEnforcementConfigData { RestrictionMode = cmek };
+        bucket.Encryption.CustomerSuppliedEncryptionEnforcementConfig = new Bucket.EncryptionData.CustomerSuppliedEncryptionEnforcementConfigData { RestrictionMode = csek };
+        bucket.Encryption.GoogleManagedEncryptionEnforcementConfig = new Bucket.EncryptionData.GoogleManagedEncryptionEnforcementConfigData { RestrictionMode = gmek };
+
+        if (message != null)
+        {
+            Console.WriteLine($"Bucket {bucketName} updated with {message}");
+        }
+
+        var updatedBucket = storage.UpdateBucket(bucket);
+        return updatedBucket;
+    }
+}
+// [END storage_set_encryption_enforcement_config]