Skip to content

Commit

Permalink
Remove non-hash arg support for transform, add clarification of behavior
Browse files Browse the repository at this point in the history
  • Loading branch information
Lauren Voswinkel committed Jul 6, 2020
1 parent 945dbdc commit a2cef6c
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion lib/vault/encrypted_model.rb
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ module ClassMethods
# a proc to encode the value with
# @option options [Proc] :decode
# a proc to decode the value with
# @option options [Hash, String] :transform_secret
# @option options [Hash] :transform_secret
# a hash providing details about a transformation to use,
# or a name of an existing transformation
def vault_attribute(attribute, options = {})
Expand Down Expand Up @@ -265,6 +265,9 @@ def __vault_load_attribute!(attribute, options)
generated_context = __vault_generate_context(context)

if transform
# If this is a secret encrypted with FPE, we do not need to decrypt with vault
# This prevents a double encryption via standard vault encryption and FPE.
# FPE is decrypted later as part of the serializer
plaintext = ciphertext
else
# Load the plaintext value
Expand Down Expand Up @@ -345,6 +348,9 @@ def __vault_persist_attribute!(attribute, options)
generated_context = __vault_generate_context(context)

if transform
# If this is a secret encrypted with FPE, we should not encrypt it in vault
# This prevents a double encryption via standard vault encryption and FPE.
# FPE was performed earlier as part of the serialization process.
ciphertext = plaintext
else
# Generate the ciphertext and store it back as an attribute
Expand Down

0 comments on commit a2cef6c

Please sign in to comment.