Secretkeeper: test sealing policy update

Test: VtsSecretkeeperTargetTest
Change-Id: Ib1d60dc2f80aa8b02011506af7e5c310ad92573a
diff --git a/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs b/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs
index 8c33f04..439883f 100644
--- a/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs
+++ b/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs
@@ -171,7 +171,16 @@
 
     /// Helper method to get a secret.
     fn get(&mut self, id: &Id) -> Result<Secret, Error> {
-        let get_request = GetSecretRequest { id: id.clone(), updated_sealing_policy: None };
+        self.get_update_policy(id, None)
+    }
+
+    /// Helper method to get a secret, updating the sealing policy along the way.
+    fn get_update_policy(
+        &mut self,
+        id: &Id,
+        updated_sealing_policy: Option<Vec<u8>>,
+    ) -> Result<Secret, Error> {
+        let get_request = GetSecretRequest { id: id.clone(), updated_sealing_policy };
         let get_request = get_request.serialize_to_packet().to_vec()?;
 
         let get_response = self.secret_management_request(&get_request)?;
@@ -532,8 +541,9 @@
 #[rdroidtest(get_instances())]
 fn secret_management_policy_gate(instance: String) {
     let dice_chain = make_explicit_owned_dice(/*Security version in a node */ 100);
-    let mut sk_client = SkClient::with_identity(&instance, dice_chain);
-    sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE).unwrap();
+    let mut sk_client_original = SkClient::with_identity(&instance, dice_chain);
+    sk_client_original.store(&ID_EXAMPLE, &SECRET_EXAMPLE).unwrap();
+    assert_eq!(sk_client_original.get(&ID_EXAMPLE).unwrap(), SECRET_EXAMPLE);
 
     // Start a session with higher security_version & get the stored secret.
     let dice_chain_upgraded = make_explicit_owned_dice(/*Security version in a node */ 101);
@@ -547,6 +557,20 @@
         sk_client_downgraded.get(&ID_EXAMPLE).unwrap_err(),
         Error::SecretkeeperError(SecretkeeperError::DicePolicyError)
     ));
+
+    // Now get the secret with the later version, and upgrade the sealing policy along the way.
+    let sealing_policy =
+        sealing_policy(sk_client_upgraded.dice_artifacts.explicit_key_dice_chain().unwrap());
+    assert_eq!(
+        sk_client_upgraded.get_update_policy(&ID_EXAMPLE, Some(sealing_policy)).unwrap(),
+        SECRET_EXAMPLE
+    );
+
+    // The original version of the client should no longer be able to retrieve the secret.
+    assert!(matches!(
+        sk_client_original.get(&ID_EXAMPLE).unwrap_err(),
+        Error::SecretkeeperError(SecretkeeperError::DicePolicyError)
+    ));
 }
 
 // Helper method that constructs 3 SecretManagement requests. Callers would usually not care about