From 5498cfa85a3b3e42d1aabbe349d1a022dd56916b Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Mon, 29 Jan 2024 17:29:04 +0000
Subject: [PATCH] Secretkeeper: test sealing policy update

Test: VtsSecretkeeperTargetTest
Change-Id: Ib1d60dc2f80aa8b02011506af7e5c310ad92573a
---
 .../aidl/vts/secretkeeper_test_client.rs      | 30 +++++++++++++++++--
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs b/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs
index 8c33f0412d..439883f95d 100644
--- a/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs
+++ b/security/secretkeeper/aidl/vts/secretkeeper_test_client.rs
@@ -171,7 +171,16 @@ impl SkClient {
 
     /// Helper method to get a secret.
     fn get(&mut self, id: &Id) -> Result<Secret, Error> {
-        let get_request = GetSecretRequest { id: id.clone(), updated_sealing_policy: None };
+        self.get_update_policy(id, None)
+    }
+
+    /// Helper method to get a secret, updating the sealing policy along the way.
+    fn get_update_policy(
+        &mut self,
+        id: &Id,
+        updated_sealing_policy: Option<Vec<u8>>,
+    ) -> Result<Secret, Error> {
+        let get_request = GetSecretRequest { id: id.clone(), updated_sealing_policy };
         let get_request = get_request.serialize_to_packet().to_vec()?;
 
         let get_response = self.secret_management_request(&get_request)?;
@@ -532,8 +541,9 @@ fn secret_management_replay_protection_out_of_seq_req_not_accepted(instance: Str
 #[rdroidtest(get_instances())]
 fn secret_management_policy_gate(instance: String) {
     let dice_chain = make_explicit_owned_dice(/*Security version in a node */ 100);
-    let mut sk_client = SkClient::with_identity(&instance, dice_chain);
-    sk_client.store(&ID_EXAMPLE, &SECRET_EXAMPLE).unwrap();
+    let mut sk_client_original = SkClient::with_identity(&instance, dice_chain);
+    sk_client_original.store(&ID_EXAMPLE, &SECRET_EXAMPLE).unwrap();
+    assert_eq!(sk_client_original.get(&ID_EXAMPLE).unwrap(), SECRET_EXAMPLE);
 
     // Start a session with higher security_version & get the stored secret.
     let dice_chain_upgraded = make_explicit_owned_dice(/*Security version in a node */ 101);
@@ -547,6 +557,20 @@ fn secret_management_policy_gate(instance: String) {
         sk_client_downgraded.get(&ID_EXAMPLE).unwrap_err(),
         Error::SecretkeeperError(SecretkeeperError::DicePolicyError)
     ));
+
+    // Now get the secret with the later version, and upgrade the sealing policy along the way.
+    let sealing_policy =
+        sealing_policy(sk_client_upgraded.dice_artifacts.explicit_key_dice_chain().unwrap());
+    assert_eq!(
+        sk_client_upgraded.get_update_policy(&ID_EXAMPLE, Some(sealing_policy)).unwrap(),
+        SECRET_EXAMPLE
+    );
+
+    // The original version of the client should no longer be able to retrieve the secret.
+    assert!(matches!(
+        sk_client_original.get(&ID_EXAMPLE).unwrap_err(),
+        Error::SecretkeeperError(SecretkeeperError::DicePolicyError)
+    ));
 }
 
 // Helper method that constructs 3 SecretManagement requests. Callers would usually not care about