slosilo 1.1.0 → 2.2.2

data/lib/slosilo/symmetric.rb

@@ -1,25 +1,40 @@
 module Slosilo
   class Symmetric
+    VERSION_MAGIC = 'G'
+    TAG_LENGTH = 16
+
     def initialize
-      @cipher = OpenSSL::Cipher.new 'AES-256-CBC'
+      @cipher = OpenSSL::Cipher.new 'aes-256-gcm' # NB: has to be lower case for whatever reason.
     end
-    
+
+    # This lets us do a final sanity check in migrations from older encryption versions
+    def cipher_name
+      @cipher.name
+    end
+
     def encrypt plaintext, opts = {}
       @cipher.reset
       @cipher.encrypt
-      @cipher.key = opts[:key]
+      @cipher.key = (opts[:key] or raise("missing :key option"))
       @cipher.iv = iv = random_iv
-      ctxt = @cipher.update(plaintext)
-      iv + ctxt + @cipher.final
+      @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
+      ctext = @cipher.update(plaintext) + @cipher.final
+      tag = @cipher.auth_tag(TAG_LENGTH)
+      "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
     end
-    
+
     def decrypt ciphertext, opts = {}
+      version, tag, iv, ctext = unpack ciphertext
+
+      raise "Invalid version magic: expected #{VERSION_MAGIC} but was #{version}" unless version == VERSION_MAGIC
+
       @cipher.reset
       @cipher.decrypt
       @cipher.key = opts[:key]
-      @cipher.iv, ctxt = ciphertext.unpack("a#{@cipher.iv_len}a*")
-      ptxt = @cipher.update(ctxt)
-      ptxt + @cipher.final
+      @cipher.iv = iv
+      @cipher.auth_tag = tag
+      @cipher.auth_data = opts[:aad] || ""
+      @cipher.update(ctext) + @cipher.final
     end
     
     def random_iv
@@ -29,5 +44,11 @@ module Slosilo
     def random_key
       @cipher.random_key
     end
+
+    private
+    # return tag, iv, ctext
+    def unpack msg
+      msg.unpack "aa#{TAG_LENGTH}a#{@cipher.iv_len}a*"
+    end
   end
 end

data/lib/slosilo/version.rb

@@ -1,3 +1,3 @@
 module Slosilo
-  VERSION = "1.1.0"
+  VERSION = "2.2.2"
 end

data/lib/tasks/slosilo.rake

@@ -24,4 +24,9 @@ namespace :slosilo do
   task :migrate => :environment do |t|
     Slosilo.adapter.migrate!
   end
+
+  desc "Recalculate fingerprints in keystore"
+  task :recalculate_fingerprints => :environment do |t|
+    Slosilo.adapter.recalculate_fingerprints
+  end
 end

data/publish-rubygem.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+docker pull registry.tld/conjurinc/publish-rubygem
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
+
+summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
+  docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
+  registry.tld/conjurinc/publish-rubygem slosilo
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd

data/slosilo.gemspec

@@ -1,5 +1,12 @@
 # -*- encoding: utf-8 -*-
-require File.expand_path('../lib/slosilo/version', __FILE__)
+begin
+  require File.expand_path('../lib/slosilo/version', __FILE__)
+rescue LoadError
+  # so that bundle can be run without the app code
+  module Slosilo
+    VERSION = '0.0.0'
+  end
+end
 
 Gem::Specification.new do |gem|
   gem.authors       = ["Rafa\305\202 Rzepecki"]
@@ -16,12 +23,14 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.version       = Slosilo::VERSION
   gem.required_ruby_version = '>= 1.9.3'
-  
+
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'rspec', '~> 3.0'
   gem.add_development_dependency 'ci_reporter_rspec'
   gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'simplecov-cobertura'
   gem.add_development_dependency 'io-grab', '~> 0.0.1'
   gem.add_development_dependency 'sequel' # for sequel tests
   gem.add_development_dependency 'sqlite3' # for sequel tests
+  gem.add_development_dependency 'activesupport' # for convenience in specs
 end

data/spec/encrypted_attributes_spec.rb

@@ -0,0 +1,114 @@
+require 'spec_helper'
+require 'slosilo/attr_encrypted'
+
+describe Slosilo::EncryptedAttributes do
+  before(:all) do
+    Slosilo::encryption_key = OpenSSL::Cipher.new("aes-256-gcm").random_key
+  end
+
+  let(:aad) { proc{ |_| "hithere" } }
+
+  let(:base){
+    Class.new do
+      attr_accessor :normal_ivar,:with_aad
+      def stupid_ivar
+        side_effect!
+        @_explicit
+      end
+      def stupid_ivar= e
+        side_effect!
+        @_explicit = e
+      end
+      def side_effect!
+
+      end
+    end
+  }
+
+  let(:sub){
+    Class.new(base) do
+      attr_encrypted :normal_ivar, :stupid_ivar
+    end
+  }
+
+  subject{ sub.new  }
+
+  context "when setting a normal ivar" do
+    let(:value){ "some value" }
+    it "stores an encrypted value in the ivar" do
+      subject.normal_ivar = value
+      expect(subject.instance_variable_get(:"@normal_ivar")).to_not eq(value)
+    end
+
+    it "recovers the value set" do
+      subject.normal_ivar = value
+      expect(subject.normal_ivar).to eq(value)
+    end
+  end
+
+  context "when setting an attribute with an implementation" do
+    it "calls the base class method" do
+      expect(subject).to receive_messages(:side_effect! => nil)
+      subject.stupid_ivar = "hi"
+      expect(subject.stupid_ivar).to eq("hi")
+    end
+  end
+
+  context "when given an :aad option" do
+
+    let(:cipher){ Slosilo::EncryptedAttributes.cipher }
+    let(:key){ Slosilo::EncryptedAttributes.key}
+    context "that is a string" do
+      let(:aad){ "hello there" }
+      before{ sub.attr_encrypted :with_aad, aad: aad }
+      it "encrypts the value with the given string  for auth data" do
+        expect(cipher).to receive(:encrypt).with("hello", key: key, aad: aad)
+        subject.with_aad = "hello"
+      end
+
+      it "decrypts the encrypted value" do
+        subject.with_aad = "foo"
+        expect(subject.with_aad).to eq("foo")
+      end
+    end
+
+    context "that is nil" do
+      let(:aad){ nil }
+      before{ sub.attr_encrypted :with_aad, aad: aad }
+      it "encrypts the value with an empty string for auth data" do
+        expect(cipher).to receive(:encrypt).with("hello",key: key, aad: "").and_call_original
+        subject.with_aad = "hello"
+      end
+
+      it "decrypts the encrypted value" do
+        subject.with_aad = "hello"
+        expect(subject.with_aad).to eq("hello")
+      end
+    end
+
+    context "that is a proc" do
+      let(:aad){
+        proc{ |o| "x" }
+      }
+
+      before{ sub.attr_encrypted :with_aad, aad: aad }
+
+      it "calls the proc with the object being encrypted" do
+        expect(aad).to receive(:[]).with(subject).and_call_original
+        subject.with_aad = "hi"
+      end
+
+      it "encrypts the value with the string returned for auth data" do
+        expect(cipher).to receive(:encrypt).with("hello", key: key, aad: aad[subject]).and_call_original
+        subject.with_aad = "hello"
+      end
+      it "decrypts the encrypted value" do
+        subject.with_aad = "hello"
+        expect(subject.with_aad).to eq("hello")
+      end
+    end
+
+  end
+
+
+end

data/spec/file_adapter_spec.rb

@@ -22,7 +22,7 @@ describe Slosilo::Adapters::FileAdapter do
     context "unacceptable id" do
       let(:id) { "foo.bar" }
       it "isn't accepted" do
-        expect { subject.put_key id, key }.to raise_error
+        expect { subject.put_key id, key }.to raise_error /id should not contain a period/
       end    
     end
     context "acceptable id" do

data/spec/jwt_spec.rb

@@ -0,0 +1,102 @@
+require 'spec_helper'
+
+# (Mostly) integration tests for JWT token format
+describe Slosilo::Key do
+  include_context "with example key"
+
+  describe '#issue_jwt' do
+    it 'issues an JWT token with given claims' do
+      allow(Time).to receive(:now) { DateTime.parse('2014-06-04 23:22:32 -0400').to_time }
+
+      tok = key.issue_jwt sub: 'host/example', cidr: %w(fec0::/64)
+
+      expect(tok).to be_frozen
+
+      expect(tok.header).to eq \
+        alg: 'conjur.org/slosilo/v2',
+        kid: key_fingerprint
+      expect(tok.claims).to eq \
+        iat: 1401938552,
+        sub: 'host/example',
+        cidr: ['fec0::/64']
+
+      expect(key.verify_signature tok.string_to_sign, tok.signature).to be_truthy
+    end
+  end
+end
+
+describe Slosilo::JWT do
+  context "with a signed token" do
+    let(:signature) { 'very signed, such alg' }
+    subject(:token) { Slosilo::JWT.new test: "token" }
+    before do
+      allow(Time).to receive(:now) { DateTime.parse('2014-06-04 23:22:32 -0400').to_time }
+      token.add_signature(alg: 'test-sig') { signature }
+    end
+
+    it 'allows conversion to JSON representation with #to_json' do
+      json = JSON.load token.to_json
+      expect(JSON.load Base64.urlsafe_decode64 json['protected']).to eq \
+          'alg' => 'test-sig'
+      expect(JSON.load Base64.urlsafe_decode64 json['payload']).to eq \
+          'iat' => 1401938552, 'test' => 'token'
+      expect(Base64.urlsafe_decode64 json['signature']).to eq signature
+    end
+
+    it 'allows conversion to compact representation with #to_s' do
+      h, c, s = token.to_s.split '.'
+      expect(JSON.load Base64.urlsafe_decode64 h).to eq \
+          'alg' => 'test-sig'
+      expect(JSON.load Base64.urlsafe_decode64 c).to eq \
+          'iat' => 1401938552, 'test' => 'token'
+      expect(Base64.urlsafe_decode64 s).to eq signature
+    end
+  end
+
+  describe '#to_json' do
+    it "passes any parameters" do
+      token = Slosilo::JWT.new
+      allow(token).to receive_messages \
+          header: :header,
+          claims: :claims,
+          signature: :signature
+      expect_any_instance_of(Hash).to receive(:to_json).with :testing
+      expect(token.to_json :testing)
+    end
+  end
+
+  describe '()' do
+    include_context "with example key"
+
+    it 'understands both serializations' do
+      [COMPACT_TOKEN, JSON_TOKEN].each do |token|
+        token = Slosilo::JWT token
+        expect(token.header).to eq \
+            'typ' => 'JWT',
+            'alg' => 'conjur.org/slosilo/v2',
+            'kid' => key_fingerprint
+        expect(token.claims).to eq \
+            'sub' => 'host/example',
+            'iat' => 1401938552,
+            'exp' => 1401938552 + 60*60,
+            'cidr' => ['fec0::/64']
+        expect(key.verify_signature token.string_to_sign, token.signature).to be_truthy
+      end
+    end
+
+    it 'is a noop if already parsed' do
+      token = Slosilo::JWT COMPACT_TOKEN
+      expect(Slosilo::JWT token).to eq token
+    end
+
+    it 'raises ArgumentError on failure to convert' do
+      expect { Slosilo::JWT "foo bar" }.to raise_error ArgumentError
+      expect { Slosilo::JWT elite: 31337 }.to raise_error ArgumentError
+      expect { Slosilo::JWT "foo.bar.xyzzy" }.to raise_error ArgumentError
+    end
+  end
+
+  COMPACT_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiIxMDdiZGI4NTAxYzQxOWZhZDJmZGIyMGI0NjdkNGQwYTYyYTE2YTk4YzM1ZjJkYTBlYjNiMWZmOTI5Nzk1YWQ5In0=.eyJzdWIiOiJob3N0L2V4YW1wbGUiLCJjaWRyIjpbImZlYzA6Oi82NCJdLCJleHAiOjE0MDE5NDIxNTIsImlhdCI6MTQwMTkzODU1Mn0=.qSxy6gx0DbiIc-Wz_vZhBsYi1SCkHhzxfMGPnnG6MTqjlzy7ntmlU2H92GKGoqCRo6AaNLA_C3hA42PeEarV5nMoTj8XJO_kwhrt2Db2OX4u83VS0_enoztWEZG5s45V0Lv71lVR530j4LD-hpqhm_f4VuISkeH84u0zX7s1zKOlniuZP-abCAHh0htTnrVz9wKG0VywkCUmWYyNNqC2h8PRf64SvCWcQ6VleHpjO-ms8OeTw4ZzRbzKMi0mL6eTmQlbT3PeBArUaS0pNJPg9zdDQaL2XDOofvQmj6Yy_8RA4eCt9HEfTYEdriVqK-_9QCspbGzFVn9GTWf51MRi5dngV9ItsDoG9ktDtqFuMttv7TcqjftsIHZXZsAZ175E".freeze
+
+  JSON_TOKEN = "{\"protected\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiIxMDdiZGI4NTAxYzQxOWZhZDJmZGIyMGI0NjdkNGQwYTYyYTE2YTk4YzM1ZjJkYTBlYjNiMWZmOTI5Nzk1YWQ5In0=\",\"payload\":\"eyJzdWIiOiJob3N0L2V4YW1wbGUiLCJjaWRyIjpbImZlYzA6Oi82NCJdLCJleHAiOjE0MDE5NDIxNTIsImlhdCI6MTQwMTkzODU1Mn0=\",\"signature\":\"qSxy6gx0DbiIc-Wz_vZhBsYi1SCkHhzxfMGPnnG6MTqjlzy7ntmlU2H92GKGoqCRo6AaNLA_C3hA42PeEarV5nMoTj8XJO_kwhrt2Db2OX4u83VS0_enoztWEZG5s45V0Lv71lVR530j4LD-hpqhm_f4VuISkeH84u0zX7s1zKOlniuZP-abCAHh0htTnrVz9wKG0VywkCUmWYyNNqC2h8PRf64SvCWcQ6VleHpjO-ms8OeTw4ZzRbzKMi0mL6eTmQlbT3PeBArUaS0pNJPg9zdDQaL2XDOofvQmj6Yy_8RA4eCt9HEfTYEdriVqK-_9QCspbGzFVn9GTWf51MRi5dngV9ItsDoG9ktDtqFuMttv7TcqjftsIHZXZsAZ175E\"}".freeze
+end

data/spec/key_spec.rb

@@ -1,5 +1,8 @@
 require 'spec_helper'
 
+require 'active_support'
+require 'active_support/core_ext/numeric/time'
+
 describe Slosilo::Key do
   include_context "with example key"
   
@@ -77,8 +80,8 @@ describe Slosilo::Key do
     end
   end
   
-  let(:ciphertext) { "\x8B\xE6\xEC\x8C\xAB\xA4\xC0\x8EF\"\x0F\xD5Yh\xA1\aq\x00\xF5\xAC\xAB\v\a\xEC\xF6G\xA6\e\x14N\xFF\x11\x98\xDA\x19\xB5\x8994_:\xA0\xF8\x06l\xDC\x9B\xB1\xE8z\x83\xCC\x9A\x02E\x02tOhu\x92F]h".force_encoding("ASCII-8BIT") }
-  let(:skey) { "\x15\xFF\xD4>\x9C\xF4\x0F\xB6\x04C\x18\xC1\x96\xC3\xE0T\xA3\xF5\xE8\x17\xA6\xE0\x86~rrw\xC3\xDF\x11)$\x9B\r@\x0E\xE4Zv\rw-\xFC\x1C\x84\x17\xBD\xDB\x12u\xCD\r\xFEo\xD5\xC8[\x8FEA\\\xA9\xA2F#\x8BH -\xFA\xF7\xA9\xEBf\x97\xAAT}\x8E*\xC0r\x944p\xD0\x9A\xE7\xBD\a;O\f\xEF\xE4B.y\xFA\xB4e@O\xBB\x15>y\xC9\t=\x01\xE1J\xF3X\xA9\x9E3\x04^H\x1F\xFF\x19C\x93ve)@\xF7\t_\xCF\xDE\xF1\xB7]\x83lL\xB8%A\x93p{\xE9Y\xBAu\xCE\x99T\xDC\xDF\xE7\x0FD%\xB9AXb\x1CW\x94$P\xBB\xE1g\xDEE\t\xC4\x92\x9E\xFEt\xDF\xD0\xEA\x03\xC4\x12\xA9\x02~u\xF4\x92 ;\xA0\xCE.\b+)\x05\xEDo\xA5cF\xF8\x12\xD7F\x97\xE44\xBF\xF1@\xA5\xC5\xA8\xE5\a\xE8ra<\x04\xB5\xA2\f\t\xF7T\x97\e\xF5(^\xAB\xA5%84\x10\xD1\x13e<\xCA/\xBF}%\xF6\xB1%\xB2".force_encoding("ASCII-8BIT") }
+  let(:ciphertext){ "G\xAD^\x17\x11\xBBQ9-b\x14\xF6\x92#Q0x\xF4\xAD\x1A\x92\xC3VZW\x89\x8E\x8Fg\x93\x05B\xF8\xD6O\xCFGCTp\b~\x916\xA3\x9AN\x8D\x961\x1F\xA3mSf&\xAD\xA77/]z\xA89\x01\xA7\xA9\x92\f".force_encoding('ASCII-8BIT') }
+  let(:skey){  "\x82\x93\xFAA\xA6wQA\xE1\xB5\xA6b\x8C.\xCF#I\x86I\x83u\x99\rTA\xEF\xC4\x91\xC5)-\xEBQ\xB1\xC0\xC6\xFF\x90L\xFE\x1E\x15\x81\x12\x16\xDD:A\xC5d\xE1B\xD2f@\xB8o\xB7+N\xB7\n\x92\xDC\x9E\xE3\x83\xB8>h\a\xC7\xCC\xCF\xD0t\x06\x8B\xA8\xBF\xEFe\xA4{\x88\f\xDD\roF\xEB.\xDA\xBF\x9D_0>\xF03c'\x1F!)*-\x19\x97\xAC\xD2\x1F(,6h\a\x93\xDB\x8E\x97\xF9\x1A\x11\x84\x11t\xD9\xB2\x85\xB0\x12\x7F\x03\x00O\x8F\xBE#\xFFb\xA5w\xF3g\xCF\xB4\xF2\xB7\xDBiA=\xA8\xFD1\xEC\xBF\xD7\x8E\xB6W>\x03\xACNBa\xBF\xFD\xC6\xB32\x8C\xE2\xF1\x87\x9C\xAE6\xD1\x12\vkl\xBB\xA0\xED\x9A\xEE6\xF2\xD9\xB4LL\xE2h/u_\xA1i=\x11x\x8DGha\x8EG\b+\x84[\x87\x8E\x01\x0E\xA5\xB0\x9F\xE9vSl\x18\xF3\xEA\xF4NH\xA8\xF1\x81\xBB\x98\x01\xE8p]\x18\x11f\xA3K\xA87c\xBB\x13X~K\xA2".force_encoding('ASCII-8BIT') }
   describe '#decrypt' do
     it "decrypts the symmetric key and then uses it to decrypt the ciphertext" do
       expect(subject.decrypt(ciphertext, skey)).to eq(plaintext)
@@ -120,7 +123,7 @@ describe Slosilo::Key do
     context "when given something else" do
       subject { Slosilo::Key.new "foo" }
       it "fails early" do
-        expect { subject }.to raise_error
+        expect { subject }.to raise_error ArgumentError
       end
     end
   end
@@ -145,6 +148,19 @@ describe Slosilo::Key do
         expect(key.sign("this sentence is not this sentence")).to eq(expected_signature)
       end
     end
+
+    context "when given a Hash containing non-ascii characters" do
+      let(:unicode){ "adèle.dupuis" }
+      let(:encoded){
+        unicode.dup.tap{|s| s.force_encoding Encoding::ASCII_8BIT}
+      }
+      let(:hash){ {"data" => unicode} }
+
+      it "converts the value to raw bytes before signing it" do
+        expect(key).to receive(:sign_string).with("[[\"data\",\"#{encoded}\"]]").and_call_original
+        key.sign hash
+      end
+    end
   end
   
   describe "#signed_token" do
@@ -162,7 +178,50 @@ describe Slosilo::Key do
     subject { key.signed_token data }
     it { is_expected.to eq(expected_token) }
   end
-  
+
+  describe "#validate_jwt" do
+    let(:token) do
+      instance_double Slosilo::JWT,
+          header: { 'alg' => 'conjur.org/slosilo/v2' },
+          claims: { 'iat' => Time.now.to_i },
+          string_to_sign: double("string to sign"),
+          signature: double("signature")
+    end
+
+    before do
+      allow(key).to receive(:verify_signature).with(token.string_to_sign, token.signature) { true }
+    end
+
+    it "verifies the signature" do
+      expect { key.validate_jwt token }.not_to raise_error
+    end
+
+    it "rejects unknown algorithm" do
+      token.header['alg'] = 'HS256' # we're not supporting standard algorithms
+      expect { key.validate_jwt token }.to raise_error /algorithm/
+    end
+
+    it "rejects bad signature" do
+      allow(key).to receive(:verify_signature).with(token.string_to_sign, token.signature) { false }
+      expect { key.validate_jwt token }.to raise_error /signature/
+    end
+
+    it "rejects expired token" do
+      token.claims['exp'] = 1.hour.ago.to_i
+      expect { key.validate_jwt token }.to raise_error /expired/
+    end
+
+    it "accepts unexpired token with implicit expiration" do
+      token.claims['iat'] = 5.minutes.ago
+      expect { key.validate_jwt token }.to_not raise_error
+    end
+
+    it "rejects token expired with implicit expiration" do
+      token.claims['iat'] = 10.minutes.ago.to_i
+      expect { key.validate_jwt token }.to raise_error /expired/
+    end
+  end
+
   describe "#token_valid?" do
     let(:data) { { "foo" => :bar } }
     let(:signature) { Base64::urlsafe_encode64 "\xB0\xCE{\x9FP\xEDV\x9C\xE7b\x8B[\xFAil\x87^\x96\x17Z\x97\x1D\xC2?B\x96\x9C\x8Ep-\xDF_\x8F\xC21\xD9^\xBC\n\x16\x04\x8DJ\xF6\xAF-\xEC\xAD\x03\xF9\xEE:\xDF\xB5\x8F\xF9\xF6\x81m\xAB\x9C\xAB1\x1E\x837\x8C\xFB\xA8P\xA8<\xEA\x1Dx\xCEd\xED\x84f\xA7\xB5t`\x96\xCC\x0F\xA9t\x8B\x9Fo\xBF\x92K\xFA\xFD\xC5?\x8F\xC68t\xBC\x9F\xDE\n$\xCA\xD2\x8F\x96\x0EtX2\x8Cl\x1E\x8Aa\r\x8D\xCAi\x86\x1A\xBD\x1D\xF7\xBC\x8561j\x91YlO\xFA(\x98\x10iq\xCC\xAF\x9BV\xC6\v\xBC\x10Xm\xCD\xFE\xAD=\xAA\x95,\xB4\xF7\xE8W\xB8\x83;\x81\x88\xE6\x01\xBA\xA5F\x91\x17\f\xCE\x80\x8E\v\x83\x9D<\x0E\x83\xF6\x8D\x03\xC0\xE8A\xD7\x90i\x1D\x030VA\x906D\x10\xA0\xDE\x12\xEF\x06M\xD8\x8B\xA9W\xC8\x9DTc\x8AJ\xA4\xC0\xD3!\xFA\x14\x89\xD1p\xB4J7\xA5\x04\xC2l\xDC8<\x04Y\xD8\xA4\xFB[\x89\xB1\xEC\xDA\xB8\xD7\xEA\x03Ja pinch of salt".force_encoding("ASCII-8BIT") }

data/spec/sequel_adapter_spec.rb

@@ -60,7 +60,7 @@ describe Slosilo::Adapters::SequelAdapter do
     let(:db) { Sequel.sqlite }
     before do
       allow(subject).to receive(:create_model).and_call_original
-      Sequel.cache_anonymous_models = false
+      Sequel::Model.cache_anonymous_models = false
       Sequel::Model.db = db
     end
   end