From 98bc2d43bccc3c66cf2b2112472bf9f87c8611bc Mon Sep 17 00:00:00 2001
From: Lauren Voswinkel <lvoswinkel@hashicorp.com>
Date: Mon, 6 Jul 2020 14:31:45 -0700
Subject: [PATCH] Remove non-hash arg support for transform, add clarification
 of behavior

---
 lib/vault/encrypted_model.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/vault/encrypted_model.rb b/lib/vault/encrypted_model.rb
index 401ed045..ded8da22 100644
--- a/lib/vault/encrypted_model.rb
+++ b/lib/vault/encrypted_model.rb
@@ -42,7 +42,7 @@ module ClassMethods
       #   a proc to encode the value with
       # @option options [Proc] :decode
       #   a proc to decode the value with
-      # @option options [Hash, String] :transform_secret
+      # @option options [Hash] :transform_secret
       #   a hash providing details about a transformation to use,
       #   or a name of an existing transformation
       def vault_attribute(attribute, options = {})
@@ -345,6 +345,8 @@ def __vault_persist_attribute!(attribute, options)
         generated_context = __vault_generate_context(context)
 
         if transform
+          # If this is a secret encrypted with FPE, we should not encrypt it in vault
+          # This prevents a double encryption via standard vault encryption and FPE.
           ciphertext = plaintext
         else
           # Generate the ciphertext and store it back as an attribute