feat(storage): add samples and system tests for bucket encryption enforcement

[thiyaguk09]

Description

Adds comprehensive code samples and system tests to verify Google-managed,
Customer-managed, and Customer-supplied encryption enforcement logic.

• Add setBucketEncryptionEnforcementConfig.js sample
• Add getBucketEncryptionEnforcementConfig.js sample
• Add updateBucketEncryptionEnforcementConfig.js sample
• Add system tests to verify CLI output and backend metadata state
• Ensure server-side effectiveTime is correctly captured and displayed

Checklist

• I have followed guidelines from CONTRIBUTING.MD and Samples Style Guide
• Tests pass: npm test (see Testing)
• Lint pass: npm run lint (see Style)
• Required CI tests pass (see CI testing)
• These samples need a new API enabled in testing projects to pass (let us know which ones)
• These samples need a new/updated env vars in testing projects set to pass (let us know which ones)
• This pull request is from a branch created directly off of GoogleCloudPlatform/nodejs-docs-samples. Not a fork.
• This sample adds a new sample directory, and I updated the CODEOWNERS file with the codeowners for this sample
• This sample adds a new sample directory, and I created GitHub Actions workflow for this sample
• This sample adds a new Product API, and I updated the Blunderbuss issue/PR auto-assigner with the codeowners for this sample
• Please merge this PR for me once it is approved

Note: Any check with (dev), (experimental), or (legacy) can be ignored and should not block your PR from merging (see CI testing).

[snippet-bot]

Here is the summary of changes.

You are about to add 3 region tags.

• storage/getBucketEncryptionEnforcementConfig.js:23, tag storage_get_encryption_enforcement_config
• storage/setBucketEncryptionEnforcementConfig.js:26, tag storage_set_encryption_enforcement_config
• storage/updateBucketEncryptionEnforcementConfig.js:23, tag storage_update_bucket_encryption_enforcement_config

---

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

• Refresh this comment

[gemini-code-assist]

Code Review

This pull request introduces three new code samples and corresponding system tests for managing bucket encryption enforcement configurations in Google Cloud Storage. The new samples demonstrate how to retrieve, set, and update or clear enforcement settings for Google-managed (GMEK), customer-managed (CMEK), and customer-supplied (CSEK) encryption. I have no feedback to provide as there are no review comments to evaluate.

[chandra-siri]

nit: 2026

[chandra-siri]

These tests are not robust, it's just checking a substring match.

as in this case you're trying to assert FullyRestricted Mode on GMEK, however the following code would still match the substring and

Google Managed (GMEK) Enforcement:
Mode: NotRestricted

Customer Managed (CMEK) Enforcement:
Mode: FullyRestricted

[chandra-siri]

The Better Architecture: Test the State, not the String (Testing the API)

// 1. Assert the script ran without throwing errors
const output = execSync(node setBucketEncryptionEnforcementConfig.js ${bucketName} ${defaultKmsKeyName});

// 2. Fetch the actual truth from the GCP API
const [metadata] = await bucket.getMetadata();
const encryptionConfig = metadata.encryption || {};

// 3. Assert against the actual state object
assert.strictEqual(
encryptionConfig.googleManagedEncryptionEnforcementConfig?.restrictionMode,
'FullyRestricted',
'GMEK should be FullyRestricted'
);

// Add equivalent assertions for CMEK and CSEK based on the actual
// structure of metadata.encryption in the Google Cloud Storage API
assert.strictEqual(encryptionConfig.defaultKmsKeyName, defaultKmsKeyName);