From ac52a2afd8888ece625bdab1d7709a64c5a5a946 Mon Sep 17 00:00:00 2001
From: Lauren Voswinkel <lvoswinkel@hashicorp.com>
Date: Mon, 6 Jul 2020 14:31:45 -0700
Subject: [PATCH] Remove non-hash arg support for transform, add clarification
 of behavior

---
 lib/vault/encrypted_model.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/vault/encrypted_model.rb b/lib/vault/encrypted_model.rb
index 401ed045..13387803 100644
--- a/lib/vault/encrypted_model.rb
+++ b/lib/vault/encrypted_model.rb
@@ -42,7 +42,7 @@ module ClassMethods
       #   a proc to encode the value with
       # @option options [Proc] :decode
       #   a proc to decode the value with
-      # @option options [Hash, String] :transform_secret
+      # @option options [Hash] :transform_secret
       #   a hash providing details about a transformation to use,
       #   or a name of an existing transformation
       def vault_attribute(attribute, options = {})
@@ -265,6 +265,9 @@ def __vault_load_attribute!(attribute, options)
         generated_context = __vault_generate_context(context)
 
         if transform
+          # If this is a secret encrypted with FPE, we do not need to decrypt with vault
+          # This prevents a double encryption via standard vault encryption and FPE.
+          # FPE is decrypted later as part of the serializer
           plaintext = ciphertext
         else
           # Load the plaintext value
@@ -345,6 +348,8 @@ def __vault_persist_attribute!(attribute, options)
         generated_context = __vault_generate_context(context)
 
         if transform
+          # If this is a secret encrypted with FPE, we should not encrypt it in vault
+          # This prevents a double encryption via standard vault encryption and FPE.
           ciphertext = plaintext
         else
           # Generate the ciphertext and store it back as an attribute