[Storage] KMS integration

google-cloud-clients/google-cloud-storage/src/main/java/com/google/cloud/storage/Blob.java

@@ -184,7 +184,6 @@ public static BlobSourceOption decryptionKey(String key) {
      * Returns an option for blob's billing user project. This option is used only if the blob's
      * bucket has requester_pays flag enabled.
      */
-    @GcpLaunchStage.Alpha
     public static BlobSourceOption userProject(String userProject) {
       return new BlobSourceOption(StorageRpc.Option.USER_PROJECT, userProject);
     }
@@ -403,6 +402,13 @@ Builder setCustomerEncryption(CustomerEncryption customerEncryption) {
       return this;
     }
 
+    @GcpLaunchStage.Beta
+    @Override
+    Builder setKmsKeyName(String kmsKeyName) {
+      infoBuilder.setKmsKeyName(kmsKeyName);
+      return this;
+    }
+
     @Override
     public Blob build() {
       return new Blob(storage, infoBuilder);

google-cloud-clients/google-cloud-storage/src/main/java/com/google/cloud/storage/BlobInfo.java

@@ -24,6 +24,7 @@
 import com.google.api.services.storage.model.ObjectAccessControl;
 import com.google.api.services.storage.model.StorageObject;
 import com.google.api.services.storage.model.StorageObject.Owner;
+import com.google.cloud.GcpLaunchStage;
 import com.google.cloud.storage.Blob.Builder;
 import com.google.common.base.Function;
 import com.google.common.base.MoreObjects;
@@ -83,6 +84,7 @@ public StorageObject apply(BlobInfo blobInfo) {
   private final Integer componentCount;
   private final boolean isDirectory;
   private final CustomerEncryption customerEncryption;
+  private final String kmsKeyName;
 
   /**
    * This class is meant for internal use only. Users are discouraged from using this class.
@@ -266,6 +268,13 @@ public abstract static class Builder {
 
     abstract Builder setCustomerEncryption(CustomerEncryption customerEncryption);
 
+    /**
+     *
+     * Sets the blob's kmsKeyName.
+     */
+    @GcpLaunchStage.Beta
+    abstract Builder setKmsKeyName(String kmsKeyName);
+
     /**
      * Creates a {@code BlobInfo} object.
      */
@@ -298,6 +307,7 @@ static final class BuilderImpl extends Builder {
     private Boolean isDirectory;
     private CustomerEncryption customerEncryption;
     private StorageClass storageClass;
+    private String kmsKeyName;
 
     BuilderImpl(BlobId blobId) {
       this.blobId = blobId;
@@ -328,6 +338,7 @@ static final class BuilderImpl extends Builder {
       createTime = blobInfo.createTime;
       isDirectory = blobInfo.isDirectory;
       storageClass = blobInfo.storageClass;
+      kmsKeyName = blobInfo.kmsKeyName;
     }
 
     @Override
@@ -475,6 +486,13 @@ Builder setCustomerEncryption(CustomerEncryption customerEncryption) {
       return this;
     }
 
+    @GcpLaunchStage.Beta
+    @Override
+    Builder setKmsKeyName(String kmsKeyName) {
+      this.kmsKeyName = kmsKeyName;
+      return this;
+    }
+
     @Override
     public BlobInfo build() {
       checkNotNull(blobId);
@@ -507,6 +525,7 @@ public BlobInfo build() {
     createTime = builder.createTime;
     isDirectory = firstNonNull(builder.isDirectory, Boolean.FALSE);
     storageClass = builder.storageClass;
+    kmsKeyName = builder.kmsKeyName;
   }
 
     /**
@@ -737,6 +756,14 @@ public StorageClass getStorageClass() {
     return storageClass;
   }
 
+  /**
+   * Returns the Cloud KMS key used to encrypt the blob, if any.
+   */
+  @GcpLaunchStage.Beta
+  public String getKmsKeyName() {
+    return kmsKeyName;
+  }
+
   /**
    * Returns a builder for the current blob.
    */
@@ -809,6 +836,8 @@ public ObjectAccessControl apply(Acl acl) {
     if (customerEncryption != null) {
       storageObject.setCustomerEncryption(customerEncryption.toPb());
     }
+
+    storageObject.setKmsKeyName(kmsKeyName);
     storageObject.setMetadata(pbMetadata);
     storageObject.setCacheControl(cacheControl);
     storageObject.setContentEncoding(contentEncoding);
@@ -939,6 +968,9 @@ public Acl apply(ObjectAccessControl objectAccessControl) {
     if (storageObject.getStorageClass() != null) {
       builder.setStorageClass(StorageClass.valueOf(storageObject.getStorageClass()));
     }
+    if (storageObject.getKmsKeyName() != null) {
+      builder.setKmsKeyName(storageObject.getKmsKeyName());
+    }
     return builder.build();
   }
 }

google-cloud-clients/google-cloud-storage/src/main/java/com/google/cloud/storage/Bucket.java

@@ -118,7 +118,6 @@ public static BucketSourceOption metagenerationNotMatch() {
      * Returns an option for blob's billing user project. This option is only used by the buckets with
      * 'requester_pays' flag.
      */
-    @GcpLaunchStage.Alpha
     public static BucketSourceOption userProject(String userProject) {
       return new BucketSourceOption(StorageRpc.Option.USER_PROJECT, userProject);
     }
@@ -188,6 +187,9 @@ private Tuple<BlobInfo, Storage.BlobTargetOption> toTargetOption(BlobInfo blobIn
         case CUSTOMER_SUPPLIED_KEY:
           return Tuple.of(blobInfo,
               Storage.BlobTargetOption.encryptionKey((String) getValue()));
+        case KMS_KEY_NAME:
+          return Tuple.of(blobInfo,
+                  Storage.BlobTargetOption.kmsKeyName((String) getValue()));
         case USER_PROJECT:
           return Tuple.of(blobInfo,
               Storage.BlobTargetOption.userProject((String) getValue()));
@@ -267,11 +269,20 @@ public static BlobTargetOption encryptionKey(String key) {
       return new BlobTargetOption(StorageRpc.Option.CUSTOMER_SUPPLIED_KEY, key);
     }
 
+    /**
+     * Returns an option to set a customer-managed KMS key for server-side encryption of the
+     * blob.
+     *
+     * @param kmsKeyName the KMS key resource id
+     */
+    public static BlobTargetOption kmsKeyName(String kmsKeyName) {
+      return new BlobTargetOption(StorageRpc.Option.KMS_KEY_NAME, kmsKeyName);
+    }
+
     /**
      * Returns an option for blob's billing user project. This option is only used by the buckets with
      * 'requester_pays' flag.
      */
-    @GcpLaunchStage.Alpha
     public static BlobTargetOption userProject(String userProject) {
       return new BlobTargetOption(StorageRpc.Option.USER_PROJECT, userProject);
     }
@@ -345,6 +356,9 @@ private Tuple<BlobInfo, Storage.BlobWriteOption> toWriteOption(BlobInfo blobInfo
         case CUSTOMER_SUPPLIED_KEY:
           return Tuple.of(blobInfo,
               Storage.BlobWriteOption.encryptionKey((String) value));
+        case KMS_KEY_NAME:
+          return Tuple.of(blobInfo,
+                  Storage.BlobWriteOption.kmsKeyName((String) value));
         case USER_PROJECT:
           return Tuple.of(blobInfo, Storage.BlobWriteOption.userProject((String) value));
         default:
@@ -468,7 +482,6 @@ public static BlobWriteOption encryptionKey(String key) {
      * Returns an option for blob's billing user project. This option is only used by the buckets with
      * 'requester_pays' flag.
      */
-    @GcpLaunchStage.Alpha
     public static BlobWriteOption userProject(String userProject) {
       return new BlobWriteOption(Storage.BlobWriteOption.Option.USER_PROJECT, userProject);
     }
@@ -615,6 +628,13 @@ public Builder setLabels(Map<String, String> labels) {
       return this;
     }
 
+    @GcpLaunchStage.Beta
+    @Override
+    public Builder setDefaultKmsKeyName(String defaultKmsKeyName) {
+      infoBuilder.setDefaultKmsKeyName(defaultKmsKeyName);
+      return this;
+    }
+
     @Override
     public Bucket build() {
       return new Bucket(storage, infoBuilder);

google-cloud-clients/google-cloud-storage/src/main/java/com/google/cloud/storage/BucketInfo.java

@@ -25,11 +25,13 @@
 import com.google.api.client.util.DateTime;
 import com.google.api.services.storage.model.*;
 import com.google.api.services.storage.model.Bucket;
+import com.google.api.services.storage.model.Bucket.Encryption;
 import com.google.api.services.storage.model.Bucket.Lifecycle;
 import com.google.api.services.storage.model.Bucket.Lifecycle.Rule;
 import com.google.api.services.storage.model.Bucket.Owner;
 import com.google.api.services.storage.model.Bucket.Versioning;
 import com.google.api.services.storage.model.Bucket.Website;
+import com.google.cloud.GcpLaunchStage;
 import com.google.cloud.storage.Acl.Entity;
 import com.google.common.base.Function;
 import com.google.common.base.MoreObjects;
@@ -85,6 +87,7 @@ public com.google.api.services.storage.model.Bucket apply(BucketInfo bucketInfo)
   private final String location;
   private final StorageClass storageClass;
   private final Map<String, String> labels;
+  private final String defaultKmsKeyName;
 
   /**
    * Base class for bucket's delete rules. Allows to configure automatic deletion of blobs and blobs
@@ -423,6 +426,12 @@ public abstract static class Builder {
      */
     public abstract Builder setLabels(Map<String, String> labels);
 
+    /**
+     * Sets the default Cloud KMS key name for this bucket.
+     */
+    @GcpLaunchStage.Beta
+    public abstract Builder setDefaultKmsKeyName(String defaultKmsKeyName);
+
     /**
      * Creates a {@code BucketInfo} object.
      */
@@ -449,6 +458,7 @@ static final class BuilderImpl extends Builder {
     private List<Acl> acl;
     private List<Acl> defaultAcl;
     private Map<String, String> labels;
+    private String defaultKmsKeyName;
 
     BuilderImpl(String name) {
       this.name = name;
@@ -473,6 +483,7 @@ static final class BuilderImpl extends Builder {
       deleteRules = bucketInfo.deleteRules;
       labels = bucketInfo.labels;
       requesterPays = bucketInfo.requesterPays;
+      defaultKmsKeyName = bucketInfo.defaultKmsKeyName;
     }
 
     @Override
@@ -584,6 +595,14 @@ public Builder setLabels(Map<String, String> labels) {
       return this;
     }
 
+    @GcpLaunchStage.Beta
+    @Override
+    public Builder setDefaultKmsKeyName(String defaultKmsKeyName) {
+      this.defaultKmsKeyName = defaultKmsKeyName != null
+              ? defaultKmsKeyName : Data.<String>nullOf(String.class);
+      return this;
+    }
+
     @Override
     public BucketInfo build() {
       checkNotNull(name);
@@ -610,6 +629,7 @@ public BucketInfo build() {
     deleteRules = builder.deleteRules;
     labels = builder.labels;
     requesterPays = builder.requesterPays;
+    defaultKmsKeyName = builder.defaultKmsKeyName;
   }
 
   /**
@@ -762,6 +782,14 @@ public Map<String, String> getLabels() {
     return labels;
   }
 
+  /**
+   * Returns the default Cloud KMS key to be applied to newly inserted objects in this bucket.
+   */
+  @GcpLaunchStage.Beta
+  public String getDefaultKmsKeyName() {
+    return defaultKmsKeyName;
+  }
+
   /**
    * Returns a builder for the current bucket.
    */
@@ -857,7 +885,9 @@ public Rule apply(DeleteRule deleteRule) {
     if (labels != null) {
       bucketPb.setLabels(labels);
     }
-
+    if (defaultKmsKeyName != null) {
+      bucketPb.setEncryption(new Encryption().setDefaultKmsKeyName(defaultKmsKeyName));
+    }
     return bucketPb;
   }
 
@@ -945,6 +975,10 @@ public DeleteRule apply(Rule rule) {
     if (billing != null) {
       builder.setRequesterPays(billing.getRequesterPays());
     }
+    Encryption encryption = bucketPb.getEncryption();
+    if (encryption != null && encryption.getDefaultKmsKeyName() != null && !encryption.getDefaultKmsKeyName().isEmpty()) {
+      builder.setDefaultKmsKeyName(encryption.getDefaultKmsKeyName());
+    }
     return builder.build();
   }
 }