feat(storage): add samples and system tests for bucket encryption enforcement (GoogleCloudPlatform#4272)

* feat(storage): add samples and system tests for bucket encryption enforcement

Adds comprehensive code samples and system tests to verify
Google-managed,
Customer-managed, and Customer-supplied encryption enforcement logic.

- Add setBucketEncryptionEnforcementConfig.js sample
- Add getBucketEncryptionEnforcementConfig.js sample
- Add updateBucketEncryptionEnforcementConfig.js sample
- Add system tests to verify CLI output and backend metadata state
- Ensure server-side effectiveTime is correctly captured and displayed

* code refactor

* test(storage): refactor encryption tests to assert state over strings

* test: skip bucket encryption enforcement tests if defaultKmsKeyName is missing

---------

Co-authored-by: Jennifer Davis <sigje@google.com>

Author: thiyaguk09

storage/getBucketEncryptionEnforcementConfig.js

@@ -0,0 +1,76 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+// sample-metadata:
+//   title: Get Bucket Encryption Enforcement
+//   description: Retrieves the current encryption enforcement configurations for a bucket.
+//   usage: node getBucketEncryptionEnforcementConfig.js <BUCKET_NAME>
+
+function main(bucketName = 'my-bucket') {
+  // [START storage_get_encryption_enforcement_config]
+  /**
+   * TODO(developer): Uncomment the following lines before running the sample.
+   */
+  // The ID of your GCS bucket
+  // const bucketName = 'your-unique-bucket-name';
+
+  // Imports the Google Cloud client library
+  const {Storage} = require('@google-cloud/storage');
+
+  // Creates a client
+  const storage = new Storage();
+
+  async function getBucketEncryptionEnforcementConfig() {
+    const [metadata] = await storage.bucket(bucketName).getMetadata();
+
+    console.log(
+      `Encryption enforcement configuration for bucket ${bucketName}.`
+    );
+    const enc = metadata.encryption;
+    if (!enc) {
+      console.log(
+        'No encryption configuration found (Default GMEK is active).'
+      );
+      return;
+    }
+    console.log(`Default KMS Key: ${enc.defaultKmsKeyName || 'None'}`);
+
+    const printConfig = (label, config) => {
+      if (config) {
+        console.log(`${label}:`);
+        console.log(`  Mode: ${config.restrictionMode}`);
+        console.log(`  Effective: ${config.effectiveTime}`);
+      }
+    };
+
+    printConfig(
+      'Google Managed (GMEK) Enforcement',
+      enc.googleManagedEncryptionEnforcementConfig
+    );
+    printConfig(
+      'Customer Managed (CMEK) Enforcement',
+      enc.customerManagedEncryptionEnforcementConfig
+    );
+    printConfig(
+      'Customer Supplied (CSEK) Enforcement',
+      enc.customerSuppliedEncryptionEnforcementConfig
+    );
+  }
+
+  getBucketEncryptionEnforcementConfig().catch(console.error);
+  // [END storage_get_encryption_enforcement_config]
+}
+main(...process.argv.slice(2));

storage/setBucketEncryptionEnforcementConfig.js

@@ -0,0 +1,93 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+// sample-metadata:
+//   title: Set Bucket Encryption Enforcement
+//   description: Configures a bucket to enforce specific encryption types (e.g., CMEK-only).
+//   usage: node setBucketEncryptionEnforcementConfig.js <BUCKET_NAME> <KMS_KEY_NAME>
+
+function main(
+  bucketName = 'my-bucket',
+  defaultKmsKeyName = process.env.GOOGLE_CLOUD_KMS_KEY_ASIA
+) {
+  // [START storage_set_encryption_enforcement_config]
+  /**
+   * TODO(developer): Uncomment the following lines before running the sample.
+   */
+  // The ID of your GCS bucket
+  // const bucketName = 'your-unique-bucket-name';
+
+  // The name of the KMS key to be used as the default
+  // const defaultKmsKeyName = 'my-key';
+
+  // Imports the Google Cloud client library
+  const {Storage} = require('@google-cloud/storage');
+
+  // Creates a client
+  const storage = new Storage();
+
+  async function setBucketEncryptionEnforcementConfig() {
+    const options = {
+      encryption: {
+        defaultKmsKeyName,
+        googleManagedEncryptionEnforcementConfig: {
+          restrictionMode: 'FullyRestricted',
+        },
+        customerSuppliedEncryptionEnforcementConfig: {
+          restrictionMode: 'FullyRestricted',
+        },
+        customerManagedEncryptionEnforcementConfig: {
+          restrictionMode: 'NotRestricted',
+        },
+      },
+    };
+
+    const [metadata] = await storage.bucket(bucketName).setMetadata(options);
+
+    console.log(
+      `Encryption enforcement configuration updated for bucket ${bucketName}.`
+    );
+    const enc = metadata.encryption;
+    if (enc) {
+      console.log(`Default KMS Key: ${enc.defaultKmsKeyName}`);
+
+      const logEnforcement = (label, config) => {
+        if (config) {
+          console.log(`${label}:`);
+          console.log(`  Mode: ${config.restrictionMode}`);
+          console.log(`  Effective: ${config.effectiveTime}`);
+        }
+      };
+
+      logEnforcement(
+        'Google Managed (GMEK) Enforcement',
+        enc.googleManagedEncryptionEnforcementConfig
+      );
+      logEnforcement(
+        'Customer Managed (CMEK) Enforcement',
+        enc.customerManagedEncryptionEnforcementConfig
+      );
+      logEnforcement(
+        'Customer Supplied (CSEK) Enforcement',
+        enc.customerSuppliedEncryptionEnforcementConfig
+      );
+    }
+  }
+
+  setBucketEncryptionEnforcementConfig().catch(console.error);
+  // [END storage_set_encryption_enforcement_config]
+}
+main(...process.argv.slice(2));

storage/system-test/buckets.test.js

@@ -0,0 +1,143 @@
+// Copyright 2019 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+const {Storage} = require('@google-cloud/storage');
+const {assert} = require('chai');
+const {before, after, afterEach, it} = require('mocha');
+const cp = require('child_process');
+const uuid = require('uuid');
+
+const execSync = cmd => cp.execSync(cmd, {encoding: 'utf-8'});
+
+const storage = new Storage();
+const samplesTestBucketPrefix = `nodejs-storage-samples-${uuid.v4()}`;
+const bucketName = `${samplesTestBucketPrefix}-a`;
+const defaultKmsKeyName = process.env.GOOGLE_CLOUD_KMS_KEY_ASIA;
+const bucket = storage.bucket(bucketName);
+
+before(async () => {
+  await storage.createBucket(bucketName);
+});
+
+async function deleteAllBucketsAsync() {
+  const [buckets] = await storage.getBuckets({prefix: samplesTestBucketPrefix});
+
+  for (const bucket of buckets) {
+    await bucket.deleteFiles({force: true});
+    await bucket.delete({ignoreNotFound: true});
+  }
+}
+
+after(deleteAllBucketsAsync);
+afterEach(async () => {
+  await new Promise(res => setTimeout(res, 1000));
+});
+
+it('should set bucket encryption enforcement configuration', async function () {
+  if (!defaultKmsKeyName) {
+    this.skip();
+  }
+  const output = execSync(
+    `node setBucketEncryptionEnforcementConfig.js ${bucketName} ${defaultKmsKeyName}`
+  );
+
+  assert.include(
+    output,
+    `Encryption enforcement configuration updated for bucket ${bucketName}.`
+  );
+
+  assert.include(output, `Default KMS Key: ${defaultKmsKeyName}`);
+
+  assert.include(output, 'Google Managed (GMEK) Enforcement:');
+  assert.include(output, 'Mode: FullyRestricted');
+
+  assert.include(output, 'Customer Managed (CMEK) Enforcement:');
+  assert.include(output, 'Mode: NotRestricted');
+
+  assert.include(output, 'Customer Supplied (CSEK) Enforcement:');
+  assert.include(output, 'Mode: FullyRestricted');
+
+  assert.match(output, new RegExp('Effective:'));
+
+  const [metadata] = await bucket.getMetadata();
+  const encryption = metadata.encryption || {};
+  assert.strictEqual(
+    encryption.googleManagedEncryptionEnforcementConfig?.restrictionMode,
+    'FullyRestricted'
+  );
+  assert.strictEqual(
+    encryption.customerManagedEncryptionEnforcementConfig?.restrictionMode,
+    'NotRestricted'
+  );
+  assert.strictEqual(
+    encryption.customerSuppliedEncryptionEnforcementConfig?.restrictionMode,
+    'FullyRestricted'
+  );
+});
+
+it('should get bucket encryption enforcement configuration', async function () {
+  if (!defaultKmsKeyName) {
+    this.skip();
+  }
+  const output = execSync(
+    `node getBucketEncryptionEnforcementConfig.js ${bucketName}`
+  );
+
+  assert.include(
+    output,
+    `Encryption enforcement configuration for bucket ${bucketName}.`
+  );
+  assert.include(output, `Default KMS Key: ${defaultKmsKeyName}`);
+
+  assert.include(output, 'Google Managed (GMEK) Enforcement:');
+  assert.include(output, 'Mode: FullyRestricted');
+  assert.match(output, /Effective:/);
+
+  const [metadata] = await bucket.getMetadata();
+  const encryption = metadata.encryption || {};
+
+  assert.strictEqual(encryption.defaultKmsKeyName, defaultKmsKeyName);
+  assert.strictEqual(
+    encryption.googleManagedEncryptionEnforcementConfig?.restrictionMode,
+    'FullyRestricted'
+  );
+  assert.strictEqual(
+    encryption.customerManagedEncryptionEnforcementConfig?.restrictionMode,
+    'NotRestricted'
+  );
+  assert.strictEqual(
+    encryption.customerSuppliedEncryptionEnforcementConfig?.restrictionMode,
+    'FullyRestricted'
+  );
+});
+
+it('should update and then remove bucket encryption enforcement configuration', async () => {
+  const output = execSync(
+    `node updateBucketEncryptionEnforcementConfig.js ${bucketName}`
+  );
+
+  assert.include(
+    output,
+    `Google-managed encryption enforcement set to FullyRestricted for ${bucketName}.`
+  );
+  assert.include(
+    output,
+    `All encryption enforcement configurations removed from bucket ${bucketName}.`
+  );
+
+  const [metadata] = await bucket.getMetadata();
+  assert.ok(!metadata.encryption);
+});

storage/updateBucketEncryptionEnforcementConfig.js

@@ -0,0 +1,74 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+'use strict';
+
+// sample-metadata:
+//   title: Update Bucket Encryption Enforcement Config
+//   description: Updates and then removes encryption enforcement configurations from a bucket.
+//   usage: node updateBucketEncryptionEnforcementConfig.js <BUCKET_NAME>
+
+function main(bucketName = 'my-bucket') {
+  // [START storage_update_bucket_encryption_enforcement_config]
+  /**
+   * TODO(developer): Uncomment the following lines before running the sample.
+   */
+  // The ID of your GCS bucket
+  // const bucketName = 'your-unique-bucket-name';
+
+  // Imports the Google Cloud client library
+  const {Storage} = require('@google-cloud/storage');
+
+  // Creates a client
+  const storage = new Storage();
+
+  async function updateBucketEncryptionEnforcementConfig() {
+    const bucket = storage.bucket(bucketName);
+
+    // Update a specific encryption type's restriction mode
+    // This partial update preserves other existing encryption settings.
+    const updateOptions = {
+      encryption: {
+        googleManagedEncryptionEnforcementConfig: {
+          restrictionMode: 'FullyRestricted',
+        },
+      },
+    };
+
+    await bucket.setMetadata(updateOptions);
+    console.log(
+      `Google-managed encryption enforcement set to FullyRestricted for ${bucketName}.`
+    );
+
+    // Remove all encryption enforcement configurations altogether
+    // Setting these values to null removes the policies from the bucket metadata.
+    const clearOptions = {
+      encryption: {
+        defaultKmsKeyName: null,
+        googleManagedEncryptionEnforcementConfig: null,
+        customerSuppliedEncryptionEnforcementConfig: null,
+        customerManagedEncryptionEnforcementConfig: null,
+      },
+    };
+
+    await bucket.setMetadata(clearOptions);
+    console.log(
+      `All encryption enforcement configurations removed from bucket ${bucketName}.`
+    );
+  }
+
+  updateBucketEncryptionEnforcementConfig().catch(console.error);
+  // [END storage_update_bucket_encryption_enforcement_config]
+}
+main(...process.argv.slice(2));