feat: add support for bucket encryption enforcement config

[rajeevpodar]

Implemented bucket encryption enforcement configuration support.
Added EncryptionEnforcementConfig and BucketEncryption classes.
Added encryption property to Bucket.
Added unit tests.

---

PR created automatically by Jules for task 10151670798613550332 started by @rajeevpodar

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Summary of Changes

Hello @rajeevpodar, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Google Cloud Storage client library by introducing robust support for managing bucket encryption enforcement configurations. It provides a structured API for users to define and apply various encryption policies, including setting restriction modes and handling different types of encryption (Google-managed, customer-managed, and customer-supplied) directly through the Bucket object. This feature allows for more granular control over data security and compliance within cloud storage buckets.

Highlights

• New encryption property for Bucket: A new encryption property has been added to the Bucket class, allowing retrieval and setting of bucket-level encryption configurations.
• Introduction of EncryptionEnforcementConfig class: A new class, EncryptionEnforcementConfig, has been introduced to represent and manage the restriction mode and effective time for encryption enforcement policies.
• Introduction of BucketEncryption class: A new class, BucketEncryption, has been added to encapsulate the overall encryption configuration for a bucket, including the default KMS key name and specific enforcement configurations for Google-managed, customer-managed, and customer-supplied encryption.
• New constants for encryption enforcement modes: Two new constants, ENFORCEMENT_MODE_FULLY_RESTRICTED and ENFORCEMENT_MODE_NOT_RESTRICTED, have been added to define bucket encryption restriction modes.
• Comprehensive unit tests: Extensive unit tests have been added for the new encryption property on the Bucket class, as well as for the EncryptionEnforcementConfig and BucketEncryption classes, ensuring proper functionality and integration.

Changelog

• google/cloud/storage/bucket.py
  • Added encryption property (getter and setter) to the Bucket class.
  • Introduced EncryptionEnforcementConfig class for managing encryption restriction modes and effective times.
  • Introduced BucketEncryption class to manage default KMS keys and various encryption enforcement configurations.
• google/cloud/storage/constants.py
  • Added ENFORCEMENT_MODE_FULLY_RESTRICTED constant.
  • Added ENFORCEMENT_MODE_NOT_RESTRICTED constant.
• tests/unit/test_bucket.py
  • Added unit tests for the Bucket.encryption property.
  • Added a new test class Test_EncryptionEnforcementConfig with tests for its constructor, from_api_repr, and restriction_mode setter.
  • Added a new test class Test_BucketEncryption with tests for its constructor, from_api_repr, and property setters that trigger _patch_property.

Activity

• No human activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds support for bucket encryption enforcement configuration, introducing EncryptionEnforcementConfig and BucketEncryption classes and adding an encryption property to the Bucket class. The changes are well-structured and include corresponding unit tests. I have a few suggestions to improve code quality and test robustness.

[gemini-code-assist]

The **kw parameter in the EncryptionEnforcementConfig constructor is unused. Removing it would clean up the method signature and prevent accidental misuse with unsupported arguments.

Suggested change

	def __init__(self, restriction_mode=None, effective_time=None, **kw):
	def __init__(self, restriction_mode=None, effective_time=None):

[gemini-code-assist]

Throughout the new tests, hardcoded strings like "FULLY_RESTRICTED" and "NOT_RESTRICTED" are used. It would be better to use the constants ENFORCEMENT_MODE_FULLY_RESTRICTED and ENFORCEMENT_MODE_NOT_RESTRICTED from google.cloud.storage.constants. This improves maintainability and consistency. This applies here and in Test_BucketEncryption (e.g., lines 4841, 4850, 4859, 4866, 4878, 4883). You'll need to add the necessary import.

Suggested change

	config.restriction_mode = "FULLY_RESTRICTED"
	config.restriction_mode = ENFORCEMENT_MODE_FULLY_RESTRICTED

[gemini-code-assist]

The repeated use of assert_called_with only verifies the most recent call to bucket._patch_property. This can make the test brittle. To ensure that each setter triggers a call, it would be more robust to check the call_count after each call, or to use mock.assert_has_calls at the end of the test to verify all expected calls were made.

For example:

        bucket = self._make_bucket()
        encryption = self._make_one(bucket)

        encryption.default_kms_key_name = "new-key"
        config = EncryptionEnforcementConfig("NOT_RESTRICTED")
        encryption.google_managed_encryption_enforcement_config = config
        encryption.customer_managed_encryption_enforcement_config = config
        encryption.customer_supplied_encryption_enforcement_config = config

        self.assertEqual(bucket._patch_property.call_count, 4)
        bucket._patch_property.assert_called_with("encryption", encryption)