lyrebird 1.0.0.alpha1 → 1.0.0.alpha2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 01f50b61e7c1cf3b9417c22f495bfc6cd37c15cdd5bb6989147a4462c10ce7ca
-  data.tar.gz: ee3ff1a24a14319f978685696a73df8f6dd0a321a9907ef0e0c47cb5b2344fdf
+  metadata.gz: b18c9229d638025f9882d18957a043c890e128ae5cbf9541d97f0cce078ce8e1
+  data.tar.gz: 28ce7ba82169a7fa5b1ac90299eb09af37781adefc74522a6ee43e16f822f740
 SHA512:
-  metadata.gz: 98f2d39495b3f5db08e9f27e8663e9b9924ff55ee41b1b9a81a707aa91f6bfa452e823fb577702990bb05e9fdcd439e36573700f62ef30cbd4b48202cf7f4b98
-  data.tar.gz: c526d72406244c4da1ba6cc9abe80abdd11191c7cba023db2a1a2b1bbd647a519aeb1531e49d4e09bd6701e1c6164a5b7969f141d005ff3109fe213bd0de0f1d
+  metadata.gz: 7edb0e358a6f295f80731bcf2d6544d55843b69c69bd25fcfbffc9a750240af558dfad598ba2939e6b9fa96033b17a7e827715908e08f3005ece03284c75f9a2
+  data.tar.gz: c7ba17cac0ffe23dcc264c52c6b8c6ce8fc44900bc0a302866e9c9aee2f874fd6f12ae5feda573c2d864047aac56a6bb5d67a000f570b018be54062b1e0acaab

data/README.md

@@ -14,18 +14,19 @@ class SAMLTest < ActionDispatch::IntegrationTest
   test "consume creates a session" do
     user = users(:alice)
 
-    response = Lyrebird::Response.new(
-      issuer: "https://idp.example.com",
-      destination: saml_consume_url,
-      recipient: saml_consume_url,
-      audience: root_url,
-      name_id: user.email,
-      attributes: {
-        email: user.email,
-        first_name: user.first_name,
-        last_name: user.last_name
-      }
-    )
+    response = Lyrebird::Response.build do |r|
+      r.issuer = "https://idp.example.com"
+      r.destination = saml_consume_url
+      r.recipient = saml_consume_url
+      r.audience = root_url
+      r.name_id = user.email
+
+      r.attributes do |a|
+        a.email = user.email
+        a.first_name = user.first_name
+        a.last_name = user.last_name
+      end
+    end
 
     post saml_consume_path, params: { SAMLResponse: response.mimic }
 
@@ -36,28 +37,48 @@ end
 ```
 
 ## Response
-Creates complete SAML responses with embedded assertions.
+Builds complete SAML responses with embedded assertions.
 
-### Creating a response
+### Building a response
+Defaults produce an SP-initiated response. See
+[IdP-initiated SSO](#idp-initiated-sso) to omit `InResponseTo` and
+`Destination`.
 ```ruby
-# With defaults
-response = Lyrebird::Response.new
+# With defaults (SP-initiated)
+response = Lyrebird::Response.build
 
 # With options
-response = Lyrebird::Response.new(
-  issuer: "https://idp.example.com",
-  destination: "https://sp.example.com/acs",
-  in_response_to: "_request_id",
-  name_id: "user@example.com",
-  name_id_format: Lyrebird::NAMEID_EMAIL,
-  recipient: "https://sp.example.com/acs",
-  audience: "https://sp.example.com",
-  valid_for: 300, # seconds
-  attributes: {
-    email: "user@example.com",
-    groups: ["admin", "users"]
-  }
-)
+response = Lyrebird::Response.build do |r|
+  r.issuer = "https://idp.example.com"
+  r.destination = "https://sp.example.com/acs"
+  r.in_response_to = "_request_id"
+  r.name_id = "user@example.com"
+  r.name_id_format = Lyrebird::NAMEID_EMAIL
+  r.recipient = "https://sp.example.com/acs"
+  r.audience = "https://sp.example.com"
+  r.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+  r.not_before = Time.now.utc
+  r.valid_for = 300 # seconds
+  r.sign_with = idp_cert
+  r.encrypt_with = sp_cert
+
+  r.attributes do |a|
+    a.email = "user@example.com"
+    a.groups = ["admin", "users"]
+  end
+end
+```
+
+### IdP-initiated SSO
+For unsolicited (IdP-initiated) flows where there is no AuthnRequest,
+set `in_response_to` and `destination` to `nil` to omit them from the
+XML entirely:
+```ruby
+response = Lyrebird::Response.build do |r|
+  r.in_response_to = nil
+  r.destination = nil
+  r.name_id = "user@example.com"
+end
 ```
 
 ### Getting the encoded response
@@ -67,14 +88,25 @@ response.document # REXML::Document for inspection
 ```
 
 ### Signing
+Sign both the assertion and response with an IdP certificate:
 ```ruby
-cert = Lyrebird::Certificate.generate
+idp_cert = Lyrebird::Certificate.generate
+response = Lyrebird::Response.build(sign_with: idp_cert)
+```
 
-response = Lyrebird::Response.new(
-  certificate: cert,
-  sign_assertion: true, # Sign the assertion (default: false)
-  sign_response: true   # Sign the response (default: false)
-)
+### Encryption
+Encrypt assertions using the SP's certificate so only the SP can decrypt them:
+```ruby
+sp_cert = Lyrebird::Certificate.generate  # In practice, provided by the SP
+response = Lyrebird::Response.build(encrypt_with: sp_cert)
+```
+
+Signing and encryption can be combined:
+```ruby
+response = Lyrebird::Response.build do |r|
+  r.sign_with = idp_cert
+  r.encrypt_with = sp_cert
+end
 ```
 
 ### NameID Formats
@@ -111,7 +143,7 @@ cert = Lyrebird::Certificate.generate(
   cn: "example.com",                  # Common Name
   o: "Acme",                          # Organization
   valid_for: 30,                      # Validity in days (default: 365)
-  valid_until: Time.new(2026, 12, 31) # Specific expiration (overrides valid_for)
+  valid_until: Time.new(2999, 12, 31) # Specific expiration (overrides valid_for)
 )
 ```
 

data/lib/lyrebird/assertion.rb

@@ -8,19 +8,19 @@ module Lyrebird
       name_id_format: DEFAULTS.name_id_format,
       recipient: DEFAULTS.recipient,
       in_response_to: DEFAULTS.in_response_to,
+      not_before: nil,
       valid_for: DEFAULTS.valid_for,
       audience: DEFAULTS.audience,
       authn_context: DEFAULTS.authn_context,
       attributes: DEFAULTS.attributes
     )
-      @id = ID.generate
-      @session_index = ID.generate
       @issue_instant = Time.now.utc
       @issuer = issuer
       @name_id = name_id
       @name_id_format = name_id_format
       @recipient = recipient
       @in_response_to = in_response_to
+      @not_before = not_before || @issue_instant
       @not_on_or_after = @issue_instant + valid_for
       @audience = audience
       @authn_context = authn_context
@@ -38,7 +38,7 @@ module Lyrebird
     def root
       REXML::Element.new("saml:Assertion").tap do |r|
         r.add_namespace("saml", SAML_ASSERTION_NS)
-        r.add_attribute("ID", @id)
+        r.add_attribute("ID", ID.generate)
         r.add_attribute("Version", "2.0")
         r.add_attribute("IssueInstant", @issue_instant.iso8601)
         r.add_element("saml:Issuer").text = @issuer
@@ -64,13 +64,13 @@ module Lyrebird
         data = sc.add_element("saml:SubjectConfirmationData")
         data.add_attribute("NotOnOrAfter", @not_on_or_after.iso8601)
         data.add_attribute("Recipient", @recipient)
-        data.add_attribute("InResponseTo", @in_response_to)
+        data.add_attribute("InResponseTo", @in_response_to) if @in_response_to
       end
     end
 
     def conditions
       REXML::Element.new("saml:Conditions").tap do |c|
-        c.add_attribute("NotBefore", @issue_instant.iso8601)
+        c.add_attribute("NotBefore", @not_before.iso8601)
         c.add_attribute("NotOnOrAfter", @not_on_or_after.iso8601)
         ar = c.add_element("saml:AudienceRestriction")
         ar.add_element("saml:Audience").text = @audience
@@ -80,7 +80,7 @@ module Lyrebird
     def authn_statement
       REXML::Element.new("saml:AuthnStatement").tap do |as|
         as.add_attribute("AuthnInstant", @issue_instant.iso8601)
-        as.add_attribute("SessionIndex", @session_index)
+        as.add_attribute("SessionIndex", ID.generate)
         ac = as.add_element("saml:AuthnContext")
         cr = ac.add_element("saml:AuthnContextClassRef")
         cr.text = @authn_context

data/lib/lyrebird/certificate.rb

@@ -25,7 +25,8 @@ module Lyrebird
       @private_key = private_key
       @common_name = cn
       @organization = o
-      @not_after = valid_until || Time.now + (valid_for * 24 * 60 * 60)
+      @valid_for = valid_for
+      @valid_until = valid_until
       @certificate = certificate || build_certificate
     end
 
@@ -48,12 +49,14 @@ module Lyrebird
     private
 
     def build_certificate
+      now = Time.now
+
       OpenSSL::X509::Certificate.new.tap do |c|
         c.public_key = @private_key.public_key
         c.subject = build_subject
         c.issuer = c.subject
-        c.not_before = Time.now
-        c.not_after = @not_after
+        c.not_before = now
+        c.not_after = @valid_until || now + (@valid_for * 86_400)
         c.sign(@private_key, OpenSSL::Digest::SHA256.new)
       end
     end

data/lib/lyrebird/encryption.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module Lyrebird
+  class Encryption
+    def initialize(element, certificate)
+      @element = element
+      @certificate = certificate
+      @aes_key = SecureRandom.random_bytes(32)
+    end
+
+    def encrypt
+      encrypted_assertion
+    end
+
+    private
+
+    def encrypted_assertion
+      REXML::Element.new("saml:EncryptedAssertion").tap do |ea|
+        ea.add_namespace("saml", SAML_ASSERTION_NS)
+        ea.add_element(encrypted_data)
+      end
+    end
+
+    def encrypted_data
+      REXML::Element.new("xenc:EncryptedData").tap do |ed|
+        ed.add_namespace("xenc", XMLENC_NS)
+        ed.add_attribute("Type", "#{XMLENC_NS}Element")
+        em = ed.add_element("xenc:EncryptionMethod")
+        em.add_attribute("Algorithm", AES256_CBC)
+        ed.add_element(key_info)
+        ed.add_element(cipher_data)
+      end
+    end
+
+    def key_info
+      REXML::Element.new("ds:KeyInfo").tap do |ki|
+        ki.add_namespace("ds", XMLDSIG_NS)
+        ki.add_element(encrypted_key)
+      end
+    end
+
+    def encrypted_key
+      REXML::Element.new("xenc:EncryptedKey").tap do |ek|
+        ek.add_namespace("xenc", XMLENC_NS)
+        em = ek.add_element("xenc:EncryptionMethod")
+        em.add_attribute("Algorithm", RSA_OAEP)
+        ek.add_element(encrypted_key_cipher_data)
+      end
+    end
+
+    def encrypted_key_cipher_data
+      public_key = @certificate.certificate.public_key
+      padding = OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+      encrypted_aes_key = public_key.public_encrypt(@aes_key, padding)
+
+      REXML::Element.new("xenc:CipherData").tap do |cd|
+        cv = Base64.strict_encode64(encrypted_aes_key)
+        cd.add_element("xenc:CipherValue").text = cv
+      end
+    end
+
+    def cipher_data
+      cipher = OpenSSL::Cipher.new("AES-256-CBC")
+      cipher.encrypt
+      cipher.key = @aes_key
+      iv = cipher.random_iv
+      ciphertext = cipher.update(@element.to_s) + cipher.final
+
+      REXML::Element.new("xenc:CipherData").tap do |cd|
+        cv = Base64.strict_encode64(iv + ciphertext)
+        cd.add_element("xenc:CipherValue").text = cv
+      end
+    end
+  end
+end

data/lib/lyrebird/namespaces.rb

@@ -11,4 +11,7 @@ module Lyrebird
   CM_BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
   ATTR_NAME_FORMAT = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
   STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
+  XMLENC_NS = "http://www.w3.org/2001/04/xmlenc#"
+  AES256_CBC = "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
+  RSA_OAEP = "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
 end

data/lib/lyrebird/response.rb

@@ -2,23 +2,30 @@
 
 module Lyrebird
   class Response
+    def self.build(**kwargs)
+      config = OpenStruct.new(kwargs)
+
+      config.define_singleton_method(:attributes) do |&block|
+        self.attributes = OpenStruct.new.tap(&block).to_h
+      end
+
+      yield config if block_given?
+      new(**config.to_h)
+    end
+
     def initialize(
       issuer: DEFAULTS.issuer,
       destination: DEFAULTS.recipient,
       in_response_to: DEFAULTS.in_response_to,
-      certificate: nil,
-      sign_assertion: false,
-      sign_response: false,
+      sign_with: nil,
+      encrypt_with: nil,
       **assertion_options
     )
-      @id = ID.generate
-      @issue_instant = Time.now.utc
       @issuer = issuer
       @destination = destination
       @in_response_to = in_response_to
-      @certificate = certificate
-      @sign_assertion = sign_assertion
-      @sign_response = sign_response
+      @sign_with = sign_with
+      @encrypt_with = encrypt_with
 
       @assertion = Assertion.new(
         issuer: issuer,
@@ -43,19 +50,25 @@ module Lyrebird
       REXML::Element.new("samlp:Response").tap do |r|
         r.add_namespace("samlp", SAML_PROTOCOL_NS)
         r.add_namespace("saml", SAML_ASSERTION_NS)
-        r.add_attribute("ID", @id)
+        r.add_attribute("ID", ID.generate)
         r.add_attribute("Version", "2.0")
-        r.add_attribute("IssueInstant", @issue_instant.iso8601)
-        r.add_attribute("Destination", @destination)
-        r.add_attribute("InResponseTo", @in_response_to)
+        r.add_attribute("IssueInstant", Time.now.utc.iso8601)
+        r.add_attribute("Destination", @destination) if @destination
+        r.add_attribute("InResponseTo", @in_response_to) if @in_response_to
         r.add_element("saml:Issuer").text = @issuer
         r.add_element(status)
-        a = r.add_element(@assertion.document.root)
-        Signature.new(a, certificate: @certificate).sign! if @sign_assertion
-        Signature.new(r, certificate: @certificate).sign! if @sign_response
+        r.add_element(assertion_element)
+        Signature.new(r, @sign_with).sign! if @sign_with
       end
     end
 
+    def assertion_element
+      element = @assertion.document.root
+      Signature.new(element, @sign_with).sign! if @sign_with
+      return element unless @encrypt_with
+      Encryption.new(element, @encrypt_with).encrypt
+    end
+
     def status
       REXML::Element.new("samlp:Status").tap do |s|
         sc = s.add_element("samlp:StatusCode")

data/lib/lyrebird/signature.rb

@@ -2,15 +2,15 @@
 
 module Lyrebird
   class Signature
-    def initialize(element, certificate:)
+    def initialize(element, certificate)
       @element = element
       @certificate = certificate
-      @element_id = @element.attributes["ID"]
     end
 
     def sign!
       issuer = @element.elements["saml:Issuer"]
       @element.insert_after(issuer, signature_element)
+      self
     end
 
     private
@@ -50,7 +50,7 @@ module Lyrebird
 
     def reference
       REXML::Element.new("ds:Reference").tap do |ref|
-        ref.add_attribute("URI", "##{@element_id}")
+        ref.add_attribute("URI", "##{@element.attributes["ID"]}")
         ref.add_element(transforms)
         dm = ref.add_element("ds:DigestMethod")
         dm.add_attribute("Algorithm", SHA256_DIGEST)

data/lib/lyrebird/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Lyrebird
-  VERSION = "1.0.0.alpha1"
+  VERSION = "1.0.0.alpha2"
 end

data/lib/lyrebird.rb

@@ -2,6 +2,7 @@
 
 require "base64"
 require "openssl"
+require "ostruct"
 require "rexml"
 require "securerandom"
 require "time"
@@ -9,6 +10,7 @@ require "time"
 require_relative "lyrebird/assertion"
 require_relative "lyrebird/certificate"
 require_relative "lyrebird/defaults"
+require_relative "lyrebird/encryption"
 require_relative "lyrebird/id"
 require_relative "lyrebird/namespaces"
 require_relative "lyrebird/response"

data/lyrebird.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "base64"
+  spec.add_dependency "ostruct"
   spec.add_dependency "rexml"
 
   spec.add_development_dependency "minitest"

data/test/lyrebird/assertion_test.rb

@@ -131,6 +131,14 @@ module Lyrebird
       assert_equal in_response_to, scd.attributes["InResponseTo"]
     end
 
+    def test_in_response_to_omitted_when_nil
+      assertion = Assertion.new(in_response_to: nil).document
+      subject = assertion.root.elements["saml:Subject"]
+      sc = subject.elements["saml:SubjectConfirmation"]
+      scd = sc.elements["saml:SubjectConfirmationData"]
+      assert_nil scd.attributes["InResponseTo"]
+    end
+
     def test_valid_for_override
       valid_for = 600 # 10 minutes
       refute_equal valid_for, DEFAULTS.valid_for
@@ -153,6 +161,13 @@ module Lyrebird
       assert_in_delta Time.now.to_i, not_before.to_i, 1
     end
 
+    def test_conditions_not_before_override
+      not_before = Time.now.utc - 60
+      assertion = Assertion.new(not_before: not_before).document
+      conditions = assertion.root.elements["saml:Conditions"]
+      assert_equal not_before.iso8601, conditions.attributes["NotBefore"]
+    end
+
     def test_conditions_not_on_or_after
       not_on_or_after = Time.iso8601(@conditions.attributes["NotOnOrAfter"])
       expected = Time.now.utc + DEFAULTS.valid_for

data/test/lyrebird/encryption_test.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+module Lyrebird
+  class EncryptionTest < Minitest::Test
+    def setup
+      @assertion = Assertion.new.document
+      @element = @assertion.root
+      @certificate = Certificate.generate
+      @encrypted = Encryption.new(@element, @certificate).encrypt
+      @ed = @encrypted.elements["xenc:EncryptedData"]
+      @ki = @ed.elements["ds:KeyInfo"]
+      @ek = @ki.elements["xenc:EncryptedKey"]
+      @cd = @ed.elements["xenc:CipherData"]
+    end
+
+    def test_returns_encrypted_assertion_element
+      assert_equal "EncryptedAssertion", @encrypted.name
+      assert_equal "saml", @encrypted.prefix
+    end
+
+    def test_encrypted_assertion_namespace
+      assert_equal SAML_ASSERTION_NS, @encrypted.namespace
+    end
+
+    def test_encrypted_data_element
+      assert_equal "EncryptedData", @ed.name
+      assert_equal "xenc", @ed.prefix
+    end
+
+    def test_encrypted_data_namespace
+      assert_equal XMLENC_NS, @ed.namespace
+    end
+
+    def test_encrypted_data_type
+      assert_equal "#{XMLENC_NS}Element", @ed.attributes["Type"]
+    end
+
+    def test_encryption_method_element
+      em = @ed.elements["xenc:EncryptionMethod"]
+      assert_equal "EncryptionMethod", em.name
+      assert_equal "xenc", em.prefix
+    end
+
+    def test_encryption_method_algorithm
+      em = @ed.elements["xenc:EncryptionMethod"]
+      assert_equal AES256_CBC, em.attributes["Algorithm"]
+    end
+
+    def test_cipher_data_element
+      assert_equal "CipherData", @cd.name
+      assert_equal "xenc", @cd.prefix
+    end
+
+    def test_cipher_value_element
+      cv = @cd.elements["xenc:CipherValue"]
+      assert_equal "CipherValue", cv.name
+      assert_equal "xenc", cv.prefix
+    end
+
+    def test_cipher_value_is_base64
+      cv = @cd.elements["xenc:CipherValue"]
+      decoded = Base64.strict_decode64(cv.text)
+      assert decoded.bytesize > 16
+    end
+
+    def test_cipher_value_starts_with_iv
+      cv = @cd.elements["xenc:CipherValue"]
+      decoded = Base64.strict_decode64(cv.text)
+      iv = decoded[0, 16]
+      assert_equal 16, iv.bytesize
+    end
+
+    def test_key_info_element
+      assert_equal "KeyInfo", @ki.name
+      assert_equal "ds", @ki.prefix
+    end
+
+    def test_key_info_namespace
+      assert_equal XMLDSIG_NS, @ki.namespace
+    end
+
+    def test_encrypted_key_element
+      assert_equal "EncryptedKey", @ek.name
+      assert_equal "xenc", @ek.prefix
+    end
+
+    def test_encrypted_key_namespace
+      assert_equal XMLENC_NS, @ek.namespace
+    end
+
+    def test_encrypted_key_encryption_method
+      em = @ek.elements["xenc:EncryptionMethod"]
+      assert_equal "EncryptionMethod", em.name
+      assert_equal RSA_OAEP, em.attributes["Algorithm"]
+    end
+
+    def test_encrypted_key_cipher_data
+      cd = @ek.elements["xenc:CipherData"]
+      assert_equal "CipherData", cd.name
+      assert_equal "xenc", cd.prefix
+    end
+
+    def test_encrypted_key_cipher_value
+      cv = @ek.elements["xenc:CipherData/xenc:CipherValue"]
+      assert_equal "CipherValue", cv.name
+      assert_equal "xenc", cv.prefix
+    end
+
+    def test_encrypted_key_cipher_value_is_base64
+      cv = @ek.elements["xenc:CipherData/xenc:CipherValue"]
+      decoded = Base64.strict_decode64(cv.text)
+      assert decoded.bytesize > 0
+    end
+
+    def test_encrypted_key_can_be_decrypted
+      cv = @ek.elements["xenc:CipherData/xenc:CipherValue"]
+      encrypted_key = Base64.strict_decode64(cv.text)
+      private_key = @certificate.private_key
+      padding = OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+      decrypted_key = private_key.private_decrypt(encrypted_key, padding)
+      assert_equal 32, decrypted_key.bytesize
+    end
+  end
+end

data/test/lyrebird/response_test.rb

@@ -9,6 +9,78 @@ module Lyrebird
       @root = @response.document.root
     end
 
+    def test_build_with_defaults
+      response = Response.build
+      root = response.document.root
+      assert_equal DEFAULTS.issuer, root.elements["saml:Issuer"].text
+    end
+
+    def test_build_with_kwargs
+      issuer = "https://test.example.com"
+      refute_equal issuer, DEFAULTS.issuer
+      response = Response.build(issuer: issuer)
+      root = response.document.root
+      assert_equal issuer, root.elements["saml:Issuer"].text
+    end
+
+    def test_build_with_block
+      issuer = "https://test.example.com"
+      refute_equal issuer, DEFAULTS.issuer
+      response = Response.build { |r| r.issuer = issuer }
+      root = response.document.root
+      assert_equal issuer, root.elements["saml:Issuer"].text
+    end
+
+    def test_build_with_kwargs_and_block
+      issuer = "https://test.example.com"
+      email = "test@example.com"
+
+      refute_equal issuer, DEFAULTS.issuer
+      refute_equal email, DEFAULTS.name_id
+
+      response = Response.build(issuer: issuer) do |r|
+        r.name_id = email
+      end
+
+      root = response.document.root
+      assert_equal issuer, root.elements["saml:Issuer"].text
+      name_id = root.elements["saml:Assertion/saml:Subject/saml:NameID"]
+      assert_equal email, name_id.text
+    end
+
+    def test_build_with_attributes_block
+      email = "test@example.com"
+      role = "admin"
+
+      response = Response.build do |r|
+        r.attributes do |a|
+          a.email = email
+          a.role = role
+        end
+      end
+
+      root = response.document.root
+      statement = root.elements["saml:Assertion/saml:AttributeStatement"]
+      email_element = statement.elements["saml:Attribute[@Name='email']"]
+      role_element = statement.elements["saml:Attribute[@Name='role']"]
+
+      assert_equal email, email_element.elements["saml:AttributeValue"].text
+      assert_equal role, role_element.elements["saml:AttributeValue"].text
+    end
+
+    def test_build_with_attributes_hash
+      email = "user@example.com"
+
+      response = Response.build do |r|
+        r.attributes = { email: email }
+      end
+
+      root = response.document.root
+      statement = root.elements["saml:Assertion/saml:AttributeStatement"]
+      email_element = statement.elements["saml:Attribute[@Name='email']"]
+      assert_equal email, email_element.elements["saml:AttributeValue"].text
+    end
+
     def test_mimic_returns_base64
       encoded = @response.mimic
       decoded = Base64.strict_decode64(encoded)
@@ -64,6 +136,16 @@ module Lyrebird
       assert_equal in_response_to, root.attributes["InResponseTo"]
     end
 
+    def test_destination_omitted_when_nil
+      root = Response.new(destination: nil).document.root
+      assert_nil root.attributes["Destination"]
+    end
+
+    def test_in_response_to_omitted_when_nil
+      root = Response.new(in_response_to: nil).document.root
+      assert_nil root.attributes["InResponseTo"]
+    end
+
     def test_issuer
       issuer = @root.elements["saml:Issuer"]
       assert_equal "Issuer", issuer.name
@@ -121,48 +203,38 @@ module Lyrebird
       assert_equal email, name_id.text
     end
 
-    def test_assertion_unsigned_by_default
-      assertion = @root.elements["saml:Assertion"]
-      assert_nil assertion.elements["ds:Signature"]
+    def test_unsigned_by_default
+      assert_nil @root.elements["ds:Signature"]
+      assert_nil @root.elements["saml:Assertion/ds:Signature"]
     end
 
-    def test_sign_assertion_adds_signature
-      cert = Certificate.generate
-      root = Response.new(certificate: cert, sign_assertion: true).document.root
-      assertion = root.elements["saml:Assertion"]
-      signature = assertion.elements["ds:Signature"]
-      assert_equal "Signature", signature.name
-      assert_equal "ds", signature.prefix
+    def test_sign_with_signs_response_and_assertion
+      root = Response.new(sign_with: Certificate.generate).document.root
+      refute_nil root.elements["ds:Signature"]
+      refute_nil root.elements["saml:Assertion/ds:Signature"]
     end
 
-    def test_response_unsigned_by_default
-      assert_nil @root.elements["ds:Signature"]
+    def test_not_encrypted_by_default
+      assert_nil @root.elements["saml:EncryptedAssertion"]
     end
 
-    def test_sign_response_adds_signature
-      args = { certificate: Certificate.generate, sign_response: true }
-      root = Response.new(**args).document.root
-      signature = root.elements["ds:Signature"]
-      assert_equal "Signature", signature.name
-      assert_equal "ds", signature.prefix
+    def test_encrypt_with_creates_encrypted_assertion
+      root = Response.new(encrypt_with: Certificate.generate).document.root
+      ea = root.elements["saml:EncryptedAssertion"]
+      assert_equal "EncryptedAssertion", ea.name
+      assert_equal "saml", ea.prefix
     end
 
-    def test_sign_both_response_and_assertion
-      args = {
-        certificate: Certificate.generate,
-        sign_assertion: true,
-        sign_response: true
-      }
-
-      root = Response.new(**args).document.root
-      refute_nil root.elements["ds:Signature"]
-      refute_nil root.elements["saml:Assertion/ds:Signature"]
+    def test_encrypt_with_removes_plain_assertion
+      root = Response.new(encrypt_with: Certificate.generate).document.root
+      assert_nil root.elements["saml:Assertion"]
     end
 
-    def test_sign_neither_response_nor_assertion
-      root = Response.new(certificate: Certificate.generate).document.root
-      assert_nil root.elements["ds:Signature"]
-      assert_nil root.elements["saml:Assertion/ds:Signature"]
+    def test_encrypt_with_contains_encrypted_data
+      root = Response.new(encrypt_with: Certificate.generate).document.root
+      ed = root.elements["saml:EncryptedAssertion/xenc:EncryptedData"]
+      assert_equal "EncryptedData", ed.name
     end
+
   end
 end

data/test/lyrebird/signature_test.rb

@@ -8,7 +8,7 @@ module Lyrebird
       @certificate = Certificate.generate
       @assertion = Assertion.new.document
       @element = @assertion.root
-      Signature.new(@element, certificate: @certificate).sign!
+      Signature.new(@element, @certificate).sign!
       @signature = @element.elements["ds:Signature"]
       @signed_info = @signature.elements["ds:SignedInfo"]
       @reference = @signed_info.elements["ds:Reference"]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lyrebird
 version: !ruby/object:Gem::Version
-  version: 1.0.0.alpha1
+  version: 1.0.0.alpha2
 platform: ruby
 authors:
 - Josh
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-01-25 00:00:00.000000000 Z
+date: 2026-01-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +94,7 @@ files:
 - lib/lyrebird/assertion.rb
 - lib/lyrebird/certificate.rb
 - lib/lyrebird/defaults.rb
+- lib/lyrebird/encryption.rb
 - lib/lyrebird/id.rb
 - lib/lyrebird/namespaces.rb
 - lib/lyrebird/response.rb
@@ -90,6 +105,7 @@ files:
 - test/lyrebird/assertion_test.rb
 - test/lyrebird/certificate_test.rb
 - test/lyrebird/defaults_test.rb
+- test/lyrebird/encryption_test.rb
 - test/lyrebird/id_test.rb
 - test/lyrebird/response_test.rb
 - test/lyrebird/signature_test.rb