feat: secrets manager interface (#75)

Author: leoparente

agent/agent.go

@@ -15,6 +15,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/configmgr"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/secretsmgr"
 	"github.com/netboxlabs/orb-agent/agent/version"
 )
 
@@ -49,8 +50,9 @@ type orbAgent struct {
 	// AgentGroup channels sent from core
 	groupsInfos map[string]groupInfo
 
-	policyManager policymgr.PolicyManager
-	configManager configmgr.Manager
+	policyManager  policymgr.PolicyManager
+	configManager  configmgr.Manager
+	secretsManager secretsmgr.Manager
 }
 
 type groupInfo struct {
@@ -71,9 +73,15 @@ func New(logger *zap.Logger, c config.Config) (Agent, error) {
 		logger.Error("policy manager failed to get repository", zap.Error(err))
 		return nil, err
 	}
-	cm := configmgr.New(logger, pm, c.OrbAgent.ConfigManager)
 
-	return &orbAgent{logger: logger, config: c, policyManager: pm, configManager: cm, groupsInfos: make(map[string]groupInfo)}, nil
+	sm := secretsmgr.New(logger, c.OrbAgent.SecretsManger)
+
+	cm := configmgr.New(logger, pm, sm, c.OrbAgent.ConfigManager)
+
+	return &orbAgent{
+		logger: logger, config: c, policyManager: pm, configManager: cm,
+		secretsManager: sm, groupsInfos: make(map[string]groupInfo),
+	}, nil
 }
 
 func (a *orbAgent) startBackends(agentCtx context.Context) error {
@@ -143,6 +151,11 @@ func (a *orbAgent) Start(ctx context.Context, cancelFunc context.CancelFunc) err
 	a.cancelFunction = cancelFunc
 	a.logger.Info("agent started", zap.String("version", version.GetBuildVersion()), zap.Any("routine", agentCtx.Value(routineKey)))
 
+	if err := a.secretsManager.Start(ctx); err != nil {
+		a.logger.Error("error during start secrets manager", zap.Error(err))
+		return err
+	}
+
 	if err := a.startBackends(ctx); err != nil {
 		return err
 	}

agent/config/types.go

@@ -32,16 +32,37 @@ type GitManager struct {
 	PrivateKey string  `mapstructure:"private_key"`
 }
 
-// ManagerSources represents the configuration for manager sources, including cloud, local and git.
-type ManagerSources struct {
+// Sources represents the configuration for manager sources, including cloud, local and git.
+type Sources struct {
 	Local LocalManager `mapstructure:"local"`
 	Git   GitManager   `mapstructure:"git"`
 }
 
 // ManagerConfig represents the configuration for the Config Manager
 type ManagerConfig struct {
+	Active  string  `mapstructure:"active"`
+	Sources Sources `mapstructure:"sources"`
+}
+
+// VaultManager represents the configuration for the Vault manager
+type VaultManager struct {
+	Auth      string         `yaml:"auth"`
+	AuthArgs  map[string]any `mapstructure:"auth_args"`
+	Address   string         `yaml:"address"`
+	Namespace string         `yaml:"namespace"`
+	Timeout   *int           `yaml:"timeout,omitempty"`
+	Schedule  *string        `yaml:"schedule,omitempty"`
+}
+
+// SecretsSources represents the configuration for manager sources, including vault.
+type SecretsSources struct {
+	Vault VaultManager `mapstructure:"vault"`
+}
+
+// ManagerSecrets represents the configuration for the Secrets Manager
+type ManagerSecrets struct {
 	Active  string         `mapstructure:"active"`
-	Sources ManagerSources `mapstructure:"sources"`
+	Sources SecretsSources `mapstructure:"sources"`
 }
 
 // BackendCommons represents common configuration for backends
@@ -64,6 +85,7 @@ type OrbAgent struct {
 	Policies      map[string]map[string]any `mapstructure:"policies"`
 	Labels        map[string]string         `mapstructure:"labels"`
 	ConfigManager ManagerConfig             `mapstructure:"config_manager"`
+	SecretsManger ManagerSecrets            `mapstructure:"secrets_manager"`
 	Debug         struct {
 		Enable bool `mapstructure:"enable"`
 	} `mapstructure:"debug"`

agent/configmgr/git.go

@@ -24,13 +24,15 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/secretsmgr"
 )
 
 var _ Manager = (*gitConfigManager)(nil)
 
 type gitConfigManager struct {
 	logger           *zap.Logger
 	pMgr             policymgr.PolicyManager
+	sMgr             secretsmgr.Manager
 	config           config.GitManager
 	scheduler        gocron.Scheduler
 	repo             *gitv5.Repository
@@ -157,6 +159,11 @@ func (gc *gitConfigManager) applyPolicies(policies policyData, backends map[stri
 				Version:   gc.version,
 				Data:      data,
 			}
+			var err error
+			payload, err = gc.sMgr.SolveSecrets(payload)
+			if err != nil {
+				return err
+			}
 			gc.pMgr.ManagePolicy(payload)
 		}
 	}

agent/configmgr/local.go

@@ -10,13 +10,15 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/secretsmgr"
 )
 
 var _ Manager = (*localConfigManager)(nil)
 
 type localConfigManager struct {
 	logger *zap.Logger
 	pMgr   policymgr.PolicyManager
+	sMgr   secretsmgr.Manager
 	config config.LocalManager
 }
 
@@ -37,6 +39,11 @@ func (lc *localConfigManager) Start(cfg config.Config, backends map[string]backe
 				ID: policyID, Action: "manage",
 				Name: pName, DatasetID: id, Backend: beName, Version: 1, Data: data,
 			}
+			var err error
+			payload, err = lc.sMgr.SolveSecrets(payload)
+			if err != nil {
+				return err
+			}
 			lc.pMgr.ManagePolicy(payload)
 		}
 

agent/configmgr/manager.go

@@ -8,6 +8,7 @@ import (
 	"github.com/netboxlabs/orb-agent/agent/backend"
 	"github.com/netboxlabs/orb-agent/agent/config"
 	"github.com/netboxlabs/orb-agent/agent/policymgr"
+	"github.com/netboxlabs/orb-agent/agent/secretsmgr"
 )
 
 // Manager is the interface for configuration manager
@@ -17,13 +18,13 @@ type Manager interface {
 }
 
 // New creates a new instance of ConfigManager based on the configuration
-func New(logger *zap.Logger, mgr policymgr.PolicyManager, c config.ManagerConfig) Manager {
+func New(logger *zap.Logger, pMgr policymgr.PolicyManager, sMgr secretsmgr.Manager, c config.ManagerConfig) Manager {
 	switch c.Active {
 	case "local":
-		return &localConfigManager{logger: logger, pMgr: mgr, config: c.Sources.Local}
+		return &localConfigManager{logger: logger, pMgr: pMgr, sMgr: sMgr, config: c.Sources.Local}
 	case "git":
-		return &gitConfigManager{logger: logger, pMgr: mgr, config: c.Sources.Git}
+		return &gitConfigManager{logger: logger, pMgr: pMgr, sMgr: sMgr, config: c.Sources.Git}
 	default:
-		return &localConfigManager{logger: logger, pMgr: mgr, config: c.Sources.Local}
+		return &localConfigManager{logger: logger, pMgr: pMgr, sMgr: sMgr, config: c.Sources.Local}
 	}
 }

agent/secretsmgr/manager.go

@@ -0,0 +1,41 @@
+package secretsmgr
+
+import (
+	"context"
+
+	"go.uber.org/zap"
+
+	"github.com/netboxlabs/orb-agent/agent/config"
+)
+
+// Manager is an interface for managing secrets
+type Manager interface {
+	Start(ctx context.Context) error
+	RegisterUpdateCallback(callback func([]string))
+	SolveSecrets(payload config.PolicyPayload) (config.PolicyPayload, error)
+}
+
+// New creates a new instance of ConfigManager based on the configuration
+func New(logger *zap.Logger, c config.ManagerSecrets) Manager {
+	switch c.Active {
+	case "vault":
+		return &vaultManager{logger: logger, config: c.Sources.Vault}
+	default:
+		return &dummyManager{}
+	}
+}
+
+var _ Manager = (*dummyManager)(nil)
+
+type dummyManager struct{}
+
+func (v *dummyManager) Start(_ context.Context) error {
+	return nil
+}
+
+func (v *dummyManager) RegisterUpdateCallback(_ func([]string)) {
+}
+
+func (v *dummyManager) SolveSecrets(payload config.PolicyPayload) (config.PolicyPayload, error) {
+	return payload, nil
+}

agent/secretsmgr/vault.go

@@ -0,0 +1,192 @@
+package secretsmgr
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+	"time"
+
+	vault "github.com/hashicorp/vault/api"
+	"go.uber.org/zap"
+
+	"github.com/netboxlabs/orb-agent/agent/config"
+)
+
+var _ Manager = (*vaultManager)(nil)
+
+type vaultManager struct {
+	logger   *zap.Logger
+	config   config.VaultManager
+	ctx      context.Context
+	client   *vault.Client
+	usedVars map[string]cachedSecret
+	callback func([]string)
+	auth     authMethod
+	token    *vault.Secret
+}
+
+type cachedSecret struct {
+	Value     string         // The actual secret value
+	policyIDs map[string]any // The IDs of policies that have used this secret
+}
+
+func (v *vaultManager) Start(ctx context.Context) error {
+	v.ctx = ctx
+	v.usedVars = make(map[string]cachedSecret)
+
+	config := vault.DefaultConfig()
+
+	config.Address = v.config.Address
+	if v.config.Timeout == nil || *v.config.Timeout == 0 {
+		config.Timeout = 60 * time.Second
+	} else {
+		config.Timeout = time.Duration(*v.config.Timeout) * time.Second
+	}
+
+	if v.config.Auth == "" {
+		return fmt.Errorf("no auth method specified")
+	}
+
+	var err error
+	v.client, err = vault.NewClient(config)
+	if err != nil {
+		return err
+	}
+
+	if v.config.Namespace != "" {
+		v.client.SetNamespace(v.config.Namespace)
+	}
+
+	v.auth, err = newAuthentication(v.config.Auth, v.config.AuthArgs)
+	if err != nil {
+		return err
+	}
+
+	v.token, err = v.auth.vaultAuthenticate(ctx, v.client)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// RegisterUpdateCallback registers a callback function to be called when secrets are updated
+func (v *vaultManager) RegisterUpdateCallback(callback func([]string)) {
+	v.callback = callback
+}
+
+// SolveSecrets processes a policy payload and replaces vault references with environment variables
+func (v *vaultManager) SolveSecrets(payload config.PolicyPayload) (config.PolicyPayload, error) {
+	// Create a copy of the payload
+	newPayload := payload
+
+	// Process the Data field
+	processedData, err := v.processValue(payload.Data, payload.ID)
+	if err != nil {
+		return payload, err
+	}
+
+	newPayload.Data = processedData
+	return newPayload, nil
+}
+
+func (v *vaultManager) processValue(value any, id string) (any, error) {
+	switch val := value.(type) {
+	case string:
+		return v.processString(val, id)
+	case map[string]any:
+		return v.processMap(val, id)
+	case []any:
+		return v.processSlice(val, id)
+	default:
+		return val, nil
+	}
+}
+
+// processString processes a string and replaces vault references
+func (v *vaultManager) processString(s string, id string) (string, error) {
+	re := regexp.MustCompile(`\${vault://([^}]+)}`)
+	if !re.MatchString(s) {
+		return s, nil
+	}
+
+	match := re.FindStringSubmatchIndex(s)
+	if match == nil || len(match) < 4 {
+		return "", fmt.Errorf("failed to find vault reference in string: %s", s)
+	}
+
+	vaultPath := s[match[2]:match[3]]
+
+	if secrets, exists := v.usedVars[vaultPath]; exists {
+		secrets.policyIDs[id] = true
+		v.usedVars[vaultPath] = secrets
+		return secrets.Value, nil
+	}
+
+	secret, err := v.getSecret(vaultPath)
+	if err != nil {
+		return "", err
+	}
+
+	v.usedVars[vaultPath] = cachedSecret{
+		Value:     secret,
+		policyIDs: map[string]any{id: true},
+	}
+
+	return secret, nil
+}
+
+// processMap processes a map recursively and replaces vault references in its values
+func (v *vaultManager) processMap(m map[string]any, id string) (map[string]any, error) {
+	result := make(map[string]any)
+	for key, val := range m {
+		processedVal, err := v.processValue(val, id)
+		if err != nil {
+			return nil, fmt.Errorf("failed to process value for key %s: %w", key, err)
+		}
+		result[key] = processedVal
+	}
+	return result, nil
+}
+
+// processSlice processes a slice recursively and replaces vault references in its elements
+func (v *vaultManager) processSlice(s []any, id string) ([]any, error) {
+	result := make([]any, len(s))
+	for i, val := range s {
+		processedVal, err := v.processValue(val, id)
+		if err != nil {
+			return nil, fmt.Errorf("failed to process value at index %d: %w", i, err)
+		}
+		result[i] = processedVal
+	}
+	return result, nil
+}
+
+// getSecret retrieves a secret from the vault
+func (v *vaultManager) getSecret(path string) (string, error) {
+	// Split the path by forward slashes
+	parts := strings.Split(path, "/")
+	if len(parts) < 3 {
+		return "", fmt.Errorf("invalid vault path format: %s", path)
+	}
+	secret, err := v.client.KVv2(parts[0]).Get(v.ctx, strings.Join(parts[1:len(parts)-1], "/"))
+	if err != nil {
+		return "", fmt.Errorf("failed to get secret path %s: %w", path, err)
+	}
+	if secret == nil || secret.Data == nil {
+		return "", fmt.Errorf("secret not found: %s", path)
+	}
+	value, ok := secret.Data[parts[len(parts)-1]]
+	if !ok {
+		return "", fmt.Errorf("secret not found: %s", path)
+	}
+	strValue, ok := value.(string)
+	if !ok {
+		return "", fmt.Errorf("secret is not a string: %s", path)
+	}
+	if strValue == "" {
+		return "", fmt.Errorf("secret is empty: %s", path)
+	}
+	return strValue, nil
+}

agent/secretsmgr/vault_auth.go

@@ -0,0 +1,256 @@
+package secretsmgr
+
+import (
+	"context"
+	"fmt"
+
+	vault "github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/api/auth/approle"
+	"github.com/hashicorp/vault/api/auth/kubernetes"
+	"github.com/hashicorp/vault/api/auth/ldap"
+	"github.com/hashicorp/vault/api/auth/userpass"
+	"gopkg.in/yaml.v3"
+)
+
+type authMethod interface {
+	vaultAuthenticate(context.Context, *vault.Client) (*vault.Secret, error)
+}
+
+func newAuthentication(auth string, authArgs map[string]any) (authMethod, error) {
+	var authObj authMethod
+
+	switch auth {
+	case "token":
+		authObj = &AuthToken{}
+	case "approle":
+		authObj = &AuthAppRole{}
+	case "userpass":
+		authObj = &AuthUserPass{}
+	case "kubernetes":
+		authObj = &AuthKubernetes{}
+	case "ldap":
+		authObj = &AuthLDAP{}
+	case "aws", "azure", "gcp":
+		return nil, fmt.Errorf("auth method %s is not currently implemented", auth)
+	default:
+		return nil, fmt.Errorf("unsupported auth method: %s", auth)
+	}
+
+	// Convert the map to YAML
+	yamlData, err := yaml.Marshal(authArgs)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal auth_args: %w", err)
+	}
+
+	// Unmarshal YAML into the auth structure
+	if err := yaml.Unmarshal(yamlData, authObj); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal '%s' auth_args: %w", auth, err)
+	}
+
+	return authObj, nil
+}
+
+// AuthToken authenticates against Vault with a token.
+type AuthToken struct {
+	Token string `yaml:"token"`
+}
+
+// UnmarshalYAML for AuthToken validates required fields after unmarshaling
+func (a *AuthToken) UnmarshalYAML(value *yaml.Node) error {
+	type tempAuthToken AuthToken
+	temp := tempAuthToken{}
+	if err := value.Decode(&temp); err != nil {
+		return err
+	}
+	*a = AuthToken(temp)
+	if a.Token == "" {
+		return fmt.Errorf("missing required field 'token'")
+	}
+	return nil
+}
+
+func (a *AuthToken) vaultAuthenticate(_ context.Context, cli *vault.Client) (*vault.Secret, error) {
+	cli.SetToken(a.Token)
+	_, err := cli.Auth().Token().LookupSelf()
+	if err != nil {
+		return nil, err
+	}
+	return nil, nil
+}
+
+// AuthAppRole authenticates against Vault with AppRole.
+type AuthAppRole struct {
+	RoleID        string  `yaml:"role_id"`
+	SecretID      string  `yaml:"secret_id"`
+	WrappingToken bool    `yaml:"wrapping_token,ommitempty"`
+	MountPath     *string `yaml:"mount_path,ommitempty"`
+}
+
+// UnmarshalYAML for AuthAppRole validates required fields after unmarshaling
+func (a *AuthAppRole) UnmarshalYAML(value *yaml.Node) error {
+	type tempAuthAppRole AuthAppRole
+	temp := tempAuthAppRole{}
+	if err := value.Decode(&temp); err != nil {
+		return err
+	}
+	*a = AuthAppRole(temp)
+	if a.RoleID == "" {
+		return fmt.Errorf("missing required field 'role_id'")
+	}
+	if a.SecretID == "" {
+		return fmt.Errorf("missing required field 'secret_id'")
+	}
+	return nil
+}
+
+func (a *AuthAppRole) vaultAuthenticate(ctx context.Context, cli *vault.Client) (*vault.Secret, error) {
+	secret := &approle.SecretID{FromString: string(a.SecretID)}
+
+	var opts []approle.LoginOption
+	if a.WrappingToken {
+		opts = append(opts, approle.WithWrappingToken())
+	}
+	if a.MountPath != nil && *a.MountPath != "" {
+		opts = append(opts, approle.WithMountPath(*a.MountPath))
+	}
+
+	auth, err := approle.NewAppRoleAuth(a.RoleID, secret, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("auth.approle: %w", err)
+	}
+	s, err := cli.Auth().Login(ctx, auth)
+	if err != nil {
+		return nil, fmt.Errorf("auth.approle: %w", err)
+	}
+	return s, nil
+}
+
+// AuthUserPass authenticates against Vault with Userpass.
+type AuthUserPass struct {
+	Username  string `yaml:"username"`
+	Password  string `yaml:"password"`
+	MountPath string `yaml:"mount_path"`
+}
+
+// UnmarshalYAML for AuthUserPass validates required fields after unmarshaling
+func (a *AuthUserPass) UnmarshalYAML(value *yaml.Node) error {
+	type tempAuthUserPass AuthUserPass
+	temp := tempAuthUserPass{}
+	if err := value.Decode(&temp); err != nil {
+		return err
+	}
+	*a = AuthUserPass(temp)
+	if a.Username == "" {
+		return fmt.Errorf("missing required field 'username'")
+	}
+	if a.Password == "" {
+		return fmt.Errorf("missing required field 'password'")
+	}
+	return nil
+}
+
+func (a *AuthUserPass) vaultAuthenticate(ctx context.Context, cli *vault.Client) (*vault.Secret, error) {
+	secret := &userpass.Password{FromString: string(a.Password)}
+
+	var opts []userpass.LoginOption
+
+	if a.MountPath != "" {
+		opts = append(opts, userpass.WithMountPath(a.MountPath))
+	}
+
+	auth, err := userpass.NewUserpassAuth(a.Username, secret, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("auth.userpass: %w", err)
+	}
+	s, err := cli.Auth().Login(ctx, auth)
+	if err != nil {
+		return nil, fmt.Errorf("auth.userpass: %w", err)
+	}
+	return s, nil
+}
+
+// AuthKubernetes authenticates against Vault with Kubernetes.
+type AuthKubernetes struct {
+	Role                    string `yaml:"role"`
+	ServiceAccountTokenFile string `yaml:"service_account_file"`
+	MountPath               string `yaml:"mount_path"`
+}
+
+// UnmarshalYAML for AuthKubernetes validates required fields after unmarshaling
+func (a *AuthKubernetes) UnmarshalYAML(value *yaml.Node) error {
+	type tempAuthKubernetes AuthKubernetes
+	temp := tempAuthKubernetes{}
+	if err := value.Decode(&temp); err != nil {
+		return err
+	}
+	*a = AuthKubernetes(temp)
+	if a.Role == "" {
+		return fmt.Errorf("missing required field 'role'")
+	}
+	return nil
+}
+
+func (a *AuthKubernetes) vaultAuthenticate(ctx context.Context, cli *vault.Client) (*vault.Secret, error) {
+	var opts []kubernetes.LoginOption
+
+	if a.ServiceAccountTokenFile != "" {
+		opts = append(opts, kubernetes.WithServiceAccountTokenPath(a.ServiceAccountTokenFile))
+	}
+	if a.MountPath != "" {
+		opts = append(opts, kubernetes.WithMountPath(a.MountPath))
+	}
+
+	auth, err := kubernetes.NewKubernetesAuth(a.Role, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("auth.kubernetes: %w", err)
+	}
+	s, err := cli.Auth().Login(ctx, auth)
+	if err != nil {
+		return nil, fmt.Errorf("auth.kubernetes: %w", err)
+	}
+	return s, nil
+}
+
+// AuthLDAP authenticates against Vault with LDAP.
+type AuthLDAP struct {
+	Username  string `yaml:"username"`
+	Password  string `yaml:"password"`
+	MountPath string `yaml:"mount_path"`
+}
+
+// UnmarshalYAML for AuthLDAP validates required fields after unmarshaling
+func (a *AuthLDAP) UnmarshalYAML(value *yaml.Node) error {
+	type tempAuthLDAP AuthLDAP
+	temp := tempAuthLDAP{}
+	if err := value.Decode(&temp); err != nil {
+		return err
+	}
+	*a = AuthLDAP(temp)
+	if a.Username == "" {
+		return fmt.Errorf("missing required field 'username'")
+	}
+	if a.Password == "" {
+		return fmt.Errorf("missing required field 'password'")
+	}
+	return nil
+}
+
+func (a *AuthLDAP) vaultAuthenticate(ctx context.Context, cli *vault.Client) (*vault.Secret, error) {
+	secret := &ldap.Password{FromString: string(a.Password)}
+
+	var opts []ldap.LoginOption
+
+	if a.MountPath != "" {
+		opts = append(opts, ldap.WithMountPath(a.MountPath))
+	}
+
+	auth, err := ldap.NewLDAPAuth(a.Username, secret, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("auth.ldap: %w", err)
+	}
+	s, err := cli.Auth().Login(ctx, auth)
+	if err != nil {
+		return nil, fmt.Errorf("auth.ldap: %w", err)
+	}
+	return s, nil
+}

agent/secretsmgr/vault_test.go

@@ -0,0 +1,148 @@
+package secretsmgr
+
+import (
+	"context"
+	"net"
+	"testing"
+	"time"
+
+	vault "github.com/hashicorp/vault/api"
+	vaulthttp "github.com/hashicorp/vault/http"
+	vaultsrv "github.com/hashicorp/vault/vault"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+
+	"github.com/netboxlabs/orb-agent/agent/config"
+)
+
+func TestVaultManager_getSecret(t *testing.T) {
+	// Create test vault server
+	ln, client := createTestVault(t)
+	defer func() {
+		if err := ln.Close(); err != nil {
+			assert.NoError(t, err, "Failed to close test vault listener")
+		}
+	}()
+
+	// Create the vault manager with the test client
+	logger, _ := zap.NewDevelopment()
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	vm := &vaultManager{
+		logger: logger,
+		config: config.VaultManager{},
+		ctx:    ctx,
+		client: client,
+	}
+
+	tests := []struct {
+		name          string
+		path          string
+		expectedValue string
+		expectedError string
+	}{
+		{
+			name:          "valid path and secret",
+			path:          "testsecret/app/credentials/password",
+			expectedValue: "secretvalue",
+			expectedError: "",
+		},
+		{
+			name:          "invalid path format",
+			path:          "testsecret/password",
+			expectedValue: "",
+			expectedError: "invalid vault path format: testsecret/password",
+		},
+		{
+			name:          "secret not found",
+			path:          "testsecret/nonexistent/path/key",
+			expectedValue: "",
+			expectedError: "failed to get secret path testsecret/nonexistent/path/key:",
+		},
+		{
+			name:          "key not found in data",
+			path:          "testsecret/app/credentials/nonexistentkey",
+			expectedValue: "",
+			expectedError: "secret not found: testsecret/app/credentials/nonexistentkey",
+		},
+		{
+			name:          "non-string value",
+			path:          "testsecret/app/credentials/numeric",
+			expectedValue: "",
+			expectedError: "secret is not a string: testsecret/app/credentials/numeric",
+		},
+		{
+			name:          "empty string value",
+			path:          "testsecret/app/credentials/empty",
+			expectedValue: "",
+			expectedError: "secret is empty: testsecret/app/credentials/empty",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Call the method under test
+			value, err := vm.getSecret(tt.path)
+
+			// Assertions
+			if tt.expectedError != "" {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), tt.expectedError)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.expectedValue, value)
+			}
+		})
+	}
+}
+
+func createTestVault(t *testing.T) (net.Listener, *vault.Client) {
+	t.Helper()
+
+	// Create an in-memory, unsealed core
+	core, keyShares, rootToken := vaultsrv.TestCoreUnsealed(t)
+	_ = keyShares
+
+	// Start an HTTP server for the core
+	ln, addr := vaulthttp.TestServer(t, core)
+
+	// Create a client that talks to the server
+	conf := vault.DefaultConfig()
+	conf.Address = addr
+
+	client, err := vault.NewClient(conf)
+	if err != nil {
+		t.Fatal(err)
+	}
+	client.SetToken(rootToken)
+
+	// Enable KV v2 secret engine
+	mountInput := &vault.MountInput{
+		Type:    "kv",
+		Options: map[string]string{"version": "2"},
+	}
+	err = client.Sys().Mount("testsecret", mountInput)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Wait for KV v2 to become available
+	time.Sleep(500 * time.Millisecond)
+
+	// Setup various test secrets
+	secrets := map[string]map[string]interface{}{
+		"app/credentials": {
+			"password": "secretvalue",
+			"numeric":  12345,
+			"empty":    "",
+		},
+	}
+
+	for path, data := range secrets {
+		_, err = client.KVv2("testsecret").Put(context.Background(), path, data)
+		require.NoError(t, err, "Failed to set up secret at %s", path)
+	}
+
+	return ln, client
+}