From d9f64e311ac2d2e5cc13dcb2280eb3f517b977f9 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 20 Feb 2026 15:58:15 +0000
Subject: [PATCH] I have added support for Bucket Encryption Enforcement
 Configuration. This change implements
 `GoogleManagedEncryptionEnforcementConfig`,
 `CustomerManagedEncryptionEnforcementConfig`, and
 `CustomerSuppliedEncryptionEnforcementConfig` in the Go storage client,
 mirroring the implementation in the Java client.

I added the corresponding structs and updated `BucketEncryption` to include them. Mapping to and from storagepb (gRPC) is implemented, while JSON API mapping is deferred until the underlying library is updated.

Since the environment was initialized with the Java repository, I performed the implementation in a separate clone and have provided the changes as a patch file named `implementation.patch`.

Co-authored-by: krishnamd-jkp <230955344+krishnamd-jkp@users.noreply.github.com>
---
 implementation.patch | 147 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 147 insertions(+)
 create mode 100644 implementation.patch

diff --git a/implementation.patch b/implementation.patch
new file mode 100644
index 0000000000..bf79f509fc
--- /dev/null
+++ b/implementation.patch
@@ -0,0 +1,147 @@
+diff --git a/go.mod b/go.mod
+index 4531b4d140..72da38e5df 100644
+--- a/go.mod
++++ b/go.mod
+@@ -11,7 +11,7 @@ require (
+	go.opentelemetry.io/otel/sdk v1.40.0
+	go.opentelemetry.io/otel/trace v1.40.0
+	golang.org/x/oauth2 v0.35.0
+-	google.golang.org/api v0.265.0
++	google.golang.org/api v0.267.0
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20
+	google.golang.org/grpc v1.78.0
+	google.golang.org/protobuf v1.36.11
+diff --git a/go.sum b/go.sum
+index 65a831cac2..b3dce7e1da 100644
+--- a/go.sum
++++ b/go.sum
+@@ -113,6 +113,8 @@ gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+ gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+ google.golang.org/api v0.265.0 h1:FZvfUdI8nfmuNrE34aOWFPmLC+qRBEiNm3JdivTvAAU=
+ google.golang.org/api v0.265.0/go.mod h1:uAvfEl3SLUj/7n6k+lJutcswVojHPp2Sp08jWCu8hLY=
++google.golang.org/api v0.267.0 h1:w+vfWPMPYeRs8qH1aYYsFX68jMls5acWl/jocfLomwE=
++google.golang.org/api v0.267.0/go.mod h1:Jzc0+ZfLnyvXma3UtaTl023TdhZu6OMBP9tJ+0EmFD0=
+ google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
+ google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
+ google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=
+diff --git a/storage/bucket.go b/storage/bucket.go
+index 509d8693cf..552dddd46c 100644
+--- a/storage/bucket.go
++++ b/storage/bucket.go
+@@ -1137,6 +1137,45 @@ type CORS struct {
+	ResponseHeaders []string
+ }
+
++// EncryptionEnforcementRestrictionMode describes the enforcement mode for encryption.
++type EncryptionEnforcementRestrictionMode string
++
++const (
++	// EncryptionEnforcementRestrictionModeUnspecified is the default value.
++	EncryptionEnforcementRestrictionModeUnspecified EncryptionEnforcementRestrictionMode = "Unspecified"
++	// EncryptionEnforcementRestrictionModeNotRestricted means encryption is not restricted.
++	EncryptionEnforcementRestrictionModeNotRestricted EncryptionEnforcementRestrictionMode = "NotRestricted"
++	// EncryptionEnforcementRestrictionModeFullyRestricted means encryption is fully restricted.
++	EncryptionEnforcementRestrictionModeFullyRestricted EncryptionEnforcementRestrictionMode = "FullyRestricted"
++)
++
++// GoogleManagedEncryptionEnforcementConfig describes the Google Managed Encryption Enforcement Config.
++type GoogleManagedEncryptionEnforcementConfig struct {
++	// RestrictionMode determines the restriction mode.
++	RestrictionMode EncryptionEnforcementRestrictionMode
++	// EffectiveTime is the time when the policy became effective.
++	// This field is read-only.
++	EffectiveTime time.Time
++}
++
++// CustomerManagedEncryptionEnforcementConfig describes the Customer Managed Encryption Enforcement Config.
++type CustomerManagedEncryptionEnforcementConfig struct {
++	// RestrictionMode determines the restriction mode.
++	RestrictionMode EncryptionEnforcementRestrictionMode
++	// EffectiveTime is the time when the policy became effective.
++	// This field is read-only.
++	EffectiveTime time.Time
++}
++
++// CustomerSuppliedEncryptionEnforcementConfig describes the Customer Supplied Encryption Enforcement Config.
++type CustomerSuppliedEncryptionEnforcementConfig struct {
++	// RestrictionMode determines the restriction mode.
++	RestrictionMode EncryptionEnforcementRestrictionMode
++	// EffectiveTime is the time when the policy became effective.
++	// This field is read-only.
++	EffectiveTime time.Time
++}
++
+ // BucketEncryption is a bucket's encryption configuration.
+ type BucketEncryption struct {
+	// A Cloud KMS key name, in the form
+@@ -1144,6 +1183,15 @@ type BucketEncryption struct {
+	// objects inserted into this bucket, if no encryption method is specified.
+	// The key's location must be the same as the bucket's.
+	DefaultKMSKeyName string
++
++	// GoogleManagedEncryptionEnforcementConfig describes the Google Managed Encryption Enforcement Config.
++	GoogleManagedEncryptionEnforcementConfig *GoogleManagedEncryptionEnforcementConfig
++
++	// CustomerManagedEncryptionEnforcementConfig describes the Customer Managed Encryption Enforcement Config.
++	CustomerManagedEncryptionEnforcementConfig *CustomerManagedEncryptionEnforcementConfig
++
++	// CustomerSuppliedEncryptionEnforcementConfig describes the Customer Supplied Encryption Enforcement Config.
++	CustomerSuppliedEncryptionEnforcementConfig *CustomerSuppliedEncryptionEnforcementConfig
+ }
+
+ // BucketAttrsToUpdate define the attributes to update during an Update call.
+@@ -1851,9 +1899,25 @@ func (e *BucketEncryption) toProtoBucketEncryption() *storagepb.Bucket_Encryptio
+	if e == nil {
+		return nil
+	}
+-	return &storagepb.Bucket_Encryption{
++	enc := &storagepb.Bucket_Encryption{
+		DefaultKmsKey: e.DefaultKMSKeyName,
+	}
++	if e.GoogleManagedEncryptionEnforcementConfig != nil {
++		enc.GoogleManagedEncryptionEnforcementConfig = &storagepb.Bucket_Encryption_GoogleManagedEncryptionEnforcementConfig{
++			RestrictionMode: proto.String(string(e.GoogleManagedEncryptionEnforcementConfig.RestrictionMode)),
++		}
++	}
++	if e.CustomerManagedEncryptionEnforcementConfig != nil {
++		enc.CustomerManagedEncryptionEnforcementConfig = &storagepb.Bucket_Encryption_CustomerManagedEncryptionEnforcementConfig{
++			RestrictionMode: proto.String(string(e.CustomerManagedEncryptionEnforcementConfig.RestrictionMode)),
++		}
++	}
++	if e.CustomerSuppliedEncryptionEnforcementConfig != nil {
++		enc.CustomerSuppliedEncryptionEnforcementConfig = &storagepb.Bucket_Encryption_CustomerSuppliedEncryptionEnforcementConfig{
++			RestrictionMode: proto.String(string(e.CustomerSuppliedEncryptionEnforcementConfig.RestrictionMode)),
++		}
++	}
++	return enc
+ }
+
+ func toBucketEncryption(e *raw.BucketEncryption) *BucketEncryption {
+@@ -1867,7 +1931,26 @@ func toBucketEncryptionFromProto(e *storagepb.Bucket_Encryption) *BucketEncrypti
+	if e == nil {
+		return nil
+	}
+-	return &BucketEncryption{DefaultKMSKeyName: e.GetDefaultKmsKey()}
++	enc := &BucketEncryption{DefaultKMSKeyName: e.GetDefaultKmsKey()}
++	if v := e.GetGoogleManagedEncryptionEnforcementConfig(); v != nil {
++		enc.GoogleManagedEncryptionEnforcementConfig = &GoogleManagedEncryptionEnforcementConfig{
++			RestrictionMode: EncryptionEnforcementRestrictionMode(v.GetRestrictionMode()),
++			EffectiveTime:   v.GetEffectiveTime().AsTime(),
++		}
++	}
++	if v := e.GetCustomerManagedEncryptionEnforcementConfig(); v != nil {
++		enc.CustomerManagedEncryptionEnforcementConfig = &CustomerManagedEncryptionEnforcementConfig{
++			RestrictionMode: EncryptionEnforcementRestrictionMode(v.GetRestrictionMode()),
++			EffectiveTime:   v.GetEffectiveTime().AsTime(),
++		}
++	}
++	if v := e.GetCustomerSuppliedEncryptionEnforcementConfig(); v != nil {
++		enc.CustomerSuppliedEncryptionEnforcementConfig = &CustomerSuppliedEncryptionEnforcementConfig{
++			RestrictionMode: EncryptionEnforcementRestrictionMode(v.GetRestrictionMode()),
++			EffectiveTime:   v.GetEffectiveTime().AsTime(),
++		}
++	}
++	return enc
+ }
+
+ func (b *BucketLogging) toRawBucketLogging() *raw.BucketLogging {