feat(storage): add support for bucket encryption enforcement config

Author: bajajneha27

google/cloud/storage/bucket_encryption.h

@@ -23,6 +23,31 @@ namespace cloud {
 namespace storage {
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
 
+/**
+ * Google Managed Encryption (GMEK) enforcement config of a bucket.
+ */
+struct GoogleManagedEncryptionEnforcementConfig {
+  std::string restriction_mode;
+  std::chrono::system_clock::time_point effective_time;
+};
+
+inline bool operator==(GoogleManagedEncryptionEnforcementConfig const& lhs,
+                       GoogleManagedEncryptionEnforcementConfig const& rhs) {
+                        return std::tie(lhs.restriction_mode, lhs.effective_time) == 
+                        std::tie(rhs.restriction_mode, rhs.effective_time);
+                       }
+
+inline bool operator<(GoogleManagedEncryptionEnforcementConfig const& lhs,
+                      GoogleManagedEncryptionEnforcementConfig const& rhs) {
+                        return std::tie(lhs.restriction_mode, lhs.effective_time) <
+                        std::tie(rhs.restriction_mode, rhs.effective_time);
+                      }
+
+inline bool operator!=(GoogleManagedEncryptionEnforcementConfig const& lhs,
+                       GoogleManagedEncryptionEnforcementConfig const& rhs) {
+                        
+                       }
+
 /**
  * Describes the default customer managed encryption key for a bucket.
  *
@@ -37,6 +62,9 @@ GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
  */
 struct BucketEncryption {
   std::string default_kms_key_name;
+  GoogleManagedEncryptionEnforcementConfig google_managed_encryption_enforcement_config;
+  CustomerManagedEncryptionEnforcementConfig customer_managed_encryption_enforcement_config;
+  CustomerSuppliedEncryptionEnforcementConfig customer_supplied_encryption_enforcement_config;
 };
 
 inline bool operator==(BucketEncryption const& lhs,

google/cloud/storage/bucket_metadata.cc

@@ -150,8 +150,8 @@ std::ostream& operator<<(std::ostream& os, BucketMetadata const& rhs) {
   os << "]";
 
   if (rhs.has_encryption()) {
-    os << ", encryption.default_kms_key_name="
-       << rhs.encryption().default_kms_key_name;
+    os << ", encryption="
+       << rhs.encryption();
   }
 
   os << ", etag=" << rhs.etag();

google/cloud/storage/bucket_metadata_test.cc

@@ -107,7 +107,19 @@ BucketMetadata CreateBucketMetadataForTest() {
         "etag": "AYX="
       }],
       "encryption": {
-        "defaultKmsKeyName": "projects/test-project-name/locations/us-central1/keyRings/test-keyring-name/cryptoKeys/test-key-name"
+        "defaultKmsKeyName": "projects/test-project-name/locations/us-central1/keyRings/test-keyring-name/cryptoKeys/test-key-name",
+        "googleManagedEncryptionEnforcementConfig": {
+          "restriction_mode": "FULLY_RESTRICTED",
+          "effective_time": "2025-12-18T18:13:15Z"
+        },
+        "customerManagedEncryptionEnforcementConfig": {
+          "restriction_mode": "NOT_RESTRICTED",
+          "effective_time": "2025-12-18T18:13:15Z"
+        },
+        "customerSuppliedEncryptionEnforcementConfig": {
+          "restriction_mode": "NOT_RESTRICTED",
+          "effective_time": "2025-12-18T18:13:15Z"
+        }
       },
       "etag": "XYZ=",
       "hierarchicalNamespace": {
@@ -224,6 +236,10 @@ TEST(BucketMetadataTest, Parse) {
       "projects/test-project-name/locations/us-central1/keyRings/"
       "test-keyring-name/cryptoKeys/test-key-name",
       actual.encryption().default_kms_key_name);
+  EXPECT_EQ("FULLY_RESTRICTED", actual.encryption().googleManagedEncryptionEnforcementConfig.restriction_mode);
+  EXPECT_EQ("NOT_RESTRICTED", actual.encryption().customerManagedEncryptionEnforcementConfig.restriction_mode);
+  EXPECT_EQ("NOT_RESTRICTED", actual.encryption().customerSuppliedEncryptionEnforcementConfig.restriction_mode);
+  EXPECT_EQ("2025-12-18T18:13:15Z", actual.encryption().customerSuppliedEncryptionEnforcementConfig.effective_time);
   EXPECT_EQ("XYZ=", actual.etag());
   // hierarchicalNamespace
   ASSERT_TRUE(actual.has_hierarchical_namespace());
@@ -493,6 +509,11 @@ TEST(BucketMetadataTest, ToJsonString) {
       "projects/test-project-name/locations/us-central1/keyRings/"
       "test-keyring-name/cryptoKeys/test-key-name",
       actual["encryption"].value("defaultKmsKeyName", ""));
+  nlohmann::json expected_encryption_enforcement_config{
+    {"googleManagedEncryptionEnforcementConfig", nlohmann::json{"restriction_mode", "FULLY_RESTRICTED"}},
+    {"customerManagedEncryptionEnforcementConfig", nlohmann::json{"restriction_mode", "NOT_RESTRICTED"}},
+    {"customerSuppliedEncryptionEnforcementConfig", nlohmann::json{"restriction_mode", "NOT_RESTRICTED"}}};
+  EXPECT_EQ(expected_encryption_enforcement_config, actual["encryption"]);
 
   // hierarchical_namespace()
   ASSERT_EQ(1, actual.count("hierarchicalNamespace"));
@@ -849,8 +870,13 @@ TEST(BucketMetadataTest, SetEncryption) {
   std::string fake_key_name =
       "projects/test-project-name/locations/us-central1/keyRings/"
       "test-keyring-name/cryptoKeys/another-test-key-name";
-  copy.set_encryption(BucketEncryption{fake_key_name});
+  std::string fake_restriction_mode = "FULLY_RESTRICTED";
+
+  copy.set_encryption(BucketEncryption{fake_key_name, fake_restriction_mode});
   EXPECT_EQ(fake_key_name, copy.encryption().default_kms_key_name);
+  EXPECT_EQ(fake_restriction_mode, copy.encryption().googleManagedEncryptionEnforcementConfig.restriction_mode);
+  EXPECT_EQ(fake_restriction_mode, copy.encryption().customerManagedEncryptionEnforcementConfig.restriction_mode);
+  EXPECT_EQ(fake_restriction_mode, copy.encryption().customerSuppliedEncryptionEnforcementConfig.restriction_mode);
   EXPECT_NE(expected, copy);
 }
 

google/cloud/storage/internal/bucket_metadata_parser.cc

@@ -160,11 +160,32 @@ Status ParseEncryption(BucketMetadata& meta, nlohmann::json const& json) {
   if (json.contains("encryption")) {
     BucketEncryption e;
     e.default_kms_key_name = json["encryption"].value("defaultKmsKeyName", "");
+    e.google_managed_encryption_enforcement_config = ParseGoogleManagedEncryptionEnforcementConfig(json["encryption"]);
+    e.customer_managed_encryption_enforcement_config = ParseCustomerManagedEncryptionEnforcementConfig(json["encryption"]);
+    e.customer_supplied_encryption_enforcement_config = ParseCustomerSuppliedEncryptionEnforcementConfig(json["encryption"]);
     meta.set_encryption(std::move(e));
   }
   return Status{};
 }
 
+StatusOr<GoogleManagedEncryptionEnforcementConfig> ParseGoogleManagedEncryptionEnforcementConfig(nlohmann::json const& json) {
+  auto restriction_mode = json["restriction_mode"];
+  auto effective_time = internal::ParseTimestampField(json, "effective_time");
+  return GoogleManagedEncryptionEnforcementConfig{*restriction_mode, *effective_time};
+}
+
+StatusOr<CustomerManagedEncryptionEnforcementConfig> ParseCustomerManagedEncryptionEnforcementConfig(nlohmann::json const& json) {
+  auto restriction_mode = json["restriction_mode"];
+  auto effective_time = internal::ParseTimestampField(json, "effective_time");
+  return CustomerManagedEncryptionEnforcementConfig{*restriction_mode, *effective_time};
+}
+
+StatusOr<CustomerSuppliedEncryptionEnforcementConfig> ParseCustomerSuppliedEncryptionEnforcementConfig(nlohmann:json const& json) {
+  auto restriction_mode = json["restriction_mode"];
+  auto effective_time = internal::ParseTimestampField(json, "effective_time");
+  return CustomerSuppliedEncryptionEnforcementConfig{*restriction_mode, *effective_time};
+}
+
 Status ParseHierarchicalNamespace(BucketMetadata& meta,
                                   nlohmann::json const& json) {
   auto const i = json.find("hierarchicalNamespace");