lyrebird 1.0.0.alpha2 → 1.0.0

data/lib/lyrebird/signature.rb

@@ -2,73 +2,121 @@
 
 module Lyrebird
   class Signature
+    C14N_EXCLUSIVE = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+
     def initialize(element, certificate)
       @element = element
       @certificate = certificate
+      @doc = element.document
     end
 
     def sign!
-      issuer = @element.elements["saml:Issuer"]
-      @element.insert_after(issuer, signature_element)
+      issuer = @element.at_xpath("saml:Issuer", "saml" => SAML_ASSERTION_NS)
+      issuer.add_next_sibling(build_signature)
       self
     end
 
     private
 
-    def signature_element
-      REXML::Element.new("ds:Signature").tap do |sig|
-        sig.add_namespace("ds", XMLDSIG_NS)
-        sig.add_element(signed_info)
-        sig.add_element(signature_value)
-        sig.add_element(key_info)
+    def build_signature
+      @doc.create_element("Signature").tap do |sig|
+        @ds = sig.add_namespace_definition("ds", XMLDSIG_NS)
+        sig.namespace = @ds
+
+        sig.add_child(build_signed_info)
+        sig.add_child(build_signature_value)
+        sig.add_child(build_key_info)
       end
     end
 
-    def signed_info
-      REXML::Element.new("ds:SignedInfo").tap do |si|
-        cm = si.add_element("ds:CanonicalizationMethod")
-        cm.add_attribute("Algorithm", EXC_C14N)
-        sm = si.add_element("ds:SignatureMethod")
-        sm.add_attribute("Algorithm", RSA_SHA256)
-        si.add_element(reference)
+    def build_signed_info
+      @doc.create_element("SignedInfo").tap do |si|
+        @signed_info = si
+        si.add_namespace_definition("ds", XMLDSIG_NS)
+        si.namespace = @ds
+
+        si.add_child(@doc.create_element("CanonicalizationMethod")).tap do |cm|
+          cm.namespace = @ds
+          cm["Algorithm"] = EXC_C14N
+        end
+
+        si.add_child(@doc.create_element("SignatureMethod")).tap do |sm|
+          sm.namespace = @ds
+          sm["Algorithm"] = RSA_SHA256
+        end
+
+        si.add_child(build_reference)
       end
     end
 
-    def signature_value
-      REXML::Element.new("ds:SignatureValue").tap do |sv|
-        sig = @certificate.private_key.sign("SHA256", signed_info.to_s)
-        sv.text = Base64.strict_encode64(sig)
+    def build_signature_value
+      @doc.create_element("SignatureValue").tap do |sv|
+        sv.namespace = @ds
+        canonical = canonicalize_signed_info
+        sig = @certificate.sign(canonical)
+        sv.content = Base64.strict_encode64(sig)
       end
     end
 
-    def key_info
-      REXML::Element.new("ds:KeyInfo").tap do |ki|
-        x = ki.add_element("ds:X509Data")
-        x.add_element("ds:X509Certificate").text = @certificate.base64
+    def canonicalize_signed_info
+      xml = @signed_info.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML)
+      xml = xml.sub("<ds:SignedInfo>", "<ds:SignedInfo xmlns:ds=\"#{XMLDSIG_NS}\">")
+      Nokogiri::XML(xml).root.canonicalize(C14N_EXCLUSIVE)
+    end
+
+    def build_key_info
+      @doc.create_element("KeyInfo").tap do |ki|
+        ki.namespace = @ds
+
+        ki.add_child(@doc.create_element("X509Data")).tap do |xd|
+          xd.namespace = @ds
+
+          xd.add_child(@doc.create_element("X509Certificate")).tap do |xc|
+            xc.namespace = @ds
+            xc.content = @certificate.base64
+          end
+        end
       end
     end
 
-    def reference
-      REXML::Element.new("ds:Reference").tap do |ref|
-        ref.add_attribute("URI", "##{@element.attributes["ID"]}")
-        ref.add_element(transforms)
-        dm = ref.add_element("ds:DigestMethod")
-        dm.add_attribute("Algorithm", SHA256_DIGEST)
-        ref.add_element("ds:DigestValue").text = compute_digest(@element)
+    def build_reference
+      @doc.create_element("Reference").tap do |ref|
+        ref.namespace = @ds
+        ref["URI"] = "##{@element["ID"]}"
+
+        ref.add_child(build_transforms)
+
+        ref.add_child(@doc.create_element("DigestMethod")).tap do |dm|
+          dm.namespace = @ds
+          dm["Algorithm"] = SHA256_DIGEST
+        end
+
+        ref.add_child(@doc.create_element("DigestValue")).tap do |dv|
+          dv.namespace = @ds
+          dv.content = compute_digest
+        end
       end
     end
 
-    def transforms
-      REXML::Element.new("ds:Transforms").tap do |t|
-        enveloped = t.add_element("ds:Transform")
-        enveloped.add_attribute("Algorithm", ENVELOPED_SIG)
-        c14n = t.add_element("ds:Transform")
-        c14n.add_attribute("Algorithm", EXC_C14N)
+    def build_transforms
+      @doc.create_element("Transforms").tap do |t|
+        t.namespace = @ds
+
+        t.add_child(@doc.create_element("Transform")).tap do |tr|
+          tr.namespace = @ds
+          tr["Algorithm"] = ENVELOPED_SIG
+        end
+
+        t.add_child(@doc.create_element("Transform")).tap do |tr|
+          tr.namespace = @ds
+          tr["Algorithm"] = EXC_C14N
+        end
       end
     end
 
-    def compute_digest(element)
-      digest = OpenSSL::Digest::SHA256.digest(element.to_s)
+    def compute_digest
+      canonical = @element.canonicalize(C14N_EXCLUSIVE)
+      digest = OpenSSL::Digest::SHA256.digest(canonical)
       Base64.strict_encode64(digest)
     end
   end

data/lib/lyrebird/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Lyrebird
-  VERSION = "1.0.0.alpha2"
+  VERSION = "1.0.0"
 end

data/lib/lyrebird.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 require "base64"
+require "nokogiri"
 require "openssl"
 require "ostruct"
-require "rexml"
 require "securerandom"
 require "time"
 
@@ -19,4 +19,19 @@ require_relative "lyrebird/version"
 
 module Lyrebird
   class Error < StandardError; end
+
+  rails_env = ENV["RAILS_ENV"]&.downcase
+  rack_env = ENV["RACK_ENV"]&.downcase
+
+  if rails_env == "production" || rack_env == "production"
+    warn <<~MESSAGE.strip
+      [Lyrebird] WARNING: Loaded in production environment. \
+      This library is for testing only.
+    MESSAGE
+  end
+
+  def self.configure
+    yield DEFAULTS
+    DEFAULTS.freeze
+  end
 end

data/lyrebird.gemspec

@@ -8,6 +8,8 @@ Gem::Specification.new do |spec|
   spec.authors = ["Josh"]
 
   spec.summary = "Mimics SAML Identity Provider (IdP) responses for testing"
+  spec.homepage = "https://github.com/simplesaml/lyrebird"
+  spec.license = "MIT"
   spec.required_ruby_version = ">= 3.2.0"
 
   spec.files = `git ls-files -z`.split("\x0")
@@ -18,9 +20,14 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "base64"
+  spec.add_dependency "nokogiri"
   spec.add_dependency "ostruct"
-  spec.add_dependency "rexml"
 
+  # ruby-saml's gemspec has a conditional dependency on logger for Ruby >= 3.4,
+  # but it was evaluated at gem build time (on Ruby < 3.4), so the published gem
+  # doesn't include it.
+  spec.add_development_dependency "logger"
   spec.add_development_dependency "minitest"
   spec.add_development_dependency "rake"
+  spec.add_development_dependency "ruby-saml"
 end

data/test/lyrebird/assertion_test.rb

@@ -4,74 +4,87 @@ require "test_helper"
 
 module Lyrebird
   class AssertionTest < Minitest::Test
+    NS = { "saml" => SAML_ASSERTION_NS }.freeze
+
     def setup
-      @assertion = Assertion.new.document
-      @root = @assertion.root
-      @subject = @root.elements["saml:Subject"]
-      @sc = @subject.elements["saml:SubjectConfirmation"]
-      @scd = @sc.elements["saml:SubjectConfirmationData"]
-      @conditions = @root.elements["saml:Conditions"]
-      @audience_restriction = @conditions.elements["saml:AudienceRestriction"]
-      @authn_statement = @root.elements["saml:AuthnStatement"]
+      unless defined?(@@assertion)
+        @@assertion = Assertion.new.document
+        @@root = @@assertion.root
+        @@subject = @@root.at_xpath("saml:Subject", NS)
+        @@sc = @@subject.at_xpath("saml:SubjectConfirmation", NS)
+        @@scd = @@sc.at_xpath("saml:SubjectConfirmationData", NS)
+        @@conditions = @@root.at_xpath("saml:Conditions", NS)
+        @@audience_restriction = @@conditions.at_xpath("saml:AudienceRestriction", NS)
+        @@authn_statement = @@root.at_xpath("saml:AuthnStatement", NS)
+      end
+
+      @assertion = @@assertion
+      @root = @@root
+      @subject = @@subject
+      @sc = @@sc
+      @scd = @@scd
+      @conditions = @@conditions
+      @audience_restriction = @@audience_restriction
+      @authn_statement = @@authn_statement
     end
 
     def test_root_name
       assert_equal "Assertion", @root.name
-      assert_equal "saml", @root.prefix
+      assert_equal "saml", @root.namespace.prefix
     end
 
     def test_root_namespace
-      assert_equal SAML_ASSERTION_NS, @root.namespace
+      assert_equal SAML_ASSERTION_NS, @root.namespace.href
     end
 
     def test_root_id
-      assert @root.attributes["ID"].start_with?("_")
+      assert @root["ID"].start_with?("_")
     end
 
     def test_root_version
-      assert_equal "2.0", @root.attributes["Version"]
+      assert_equal "2.0", @root["Version"]
     end
 
     def test_root_issue_instant
-      instant = Time.iso8601(@root.attributes["IssueInstant"])
+      instant = Time.iso8601(@root["IssueInstant"])
       assert_in_delta Time.now.to_i, instant.to_i, 1
     end
 
     def test_issuer
-      issuer = @root.elements["saml:Issuer"]
+      issuer = @root.at_xpath("saml:Issuer", NS)
       assert_equal "Issuer", issuer.name
-      assert_equal "saml", issuer.prefix
+      assert_equal "saml", issuer.namespace.prefix
       assert_equal DEFAULTS.issuer, issuer.text
     end
 
     def test_issuer_override
       assertion = Assertion.new(issuer: "https://test.example.com").document
-      issuer = assertion.root.elements["saml:Issuer"]
+      issuer = assertion.root.at_xpath("saml:Issuer", NS)
       assert_equal "https://test.example.com", issuer.text
     end
 
     def test_subject
       assert_equal "Subject", @subject.name
-      assert_equal "saml", @subject.prefix
+      assert_equal "saml", @subject.namespace.prefix
     end
 
     def test_name_id
-      name_id = @subject.elements["saml:NameID"]
+      name_id = @subject.at_xpath("saml:NameID", NS)
       assert_equal "NameID", name_id.name
-      assert_equal "saml", name_id.prefix
+      assert_equal "saml", name_id.namespace.prefix
       assert_equal DEFAULTS.name_id, name_id.text
     end
 
     def test_name_id_format_default
-      name_id = @subject.elements["saml:NameID"]
-      assert_equal NAMEID_EMAIL, name_id.attributes["Format"]
+      name_id = @subject.at_xpath("saml:NameID", NS)
+      assert_equal NAMEID_EMAIL, name_id["Format"]
     end
 
     def test_name_id_override
       email = "user@test.com"
       refute_equal email, DEFAULTS.name_id
       assertion = Assertion.new(name_id: email).document
-      name_id = assertion.root.elements["saml:Subject/saml:NameID"]
+      name_id = assertion.root.at_xpath("saml:Subject/saml:NameID", NS)
       assert_equal email, name_id.text
     end
 
@@ -79,97 +92,97 @@ module Lyrebird
       format = NAMEID_PERSISTENT
       refute_equal format, DEFAULTS.name_id_format
       assertion = Assertion.new(name_id_format: format).document
-      name_id = assertion.root.elements["saml:Subject/saml:NameID"]
-      assert_equal format, name_id.attributes["Format"]
+      name_id = assertion.root.at_xpath("saml:Subject/saml:NameID", NS)
+      assert_equal format, name_id["Format"]
     end
 
     def test_subject_confirmation
       assert_equal "SubjectConfirmation", @sc.name
-      assert_equal "saml", @sc.prefix
+      assert_equal "saml", @sc.namespace.prefix
     end
 
     def test_subject_confirmation_method
-      assert_equal CM_BEARER, @sc.attributes["Method"]
+      assert_equal CM_BEARER, @sc["Method"]
     end
 
     def test_subject_confirmation_data
       assert_equal "SubjectConfirmationData", @scd.name
-      assert_equal "saml", @scd.prefix
+      assert_equal "saml", @scd.namespace.prefix
     end
 
     def test_valid_for_default
-      not_on_or_after = Time.iso8601(@scd.attributes["NotOnOrAfter"])
+      not_on_or_after = Time.iso8601(@scd["NotOnOrAfter"])
       expected = Time.now.utc + DEFAULTS.valid_for
       assert_in_delta expected.to_i, not_on_or_after.to_i, 1
     end
 
     def test_recipient_default
-      assert_equal DEFAULTS.recipient, @scd.attributes["Recipient"]
+      assert_equal DEFAULTS.recipient, @scd["Recipient"]
     end
 
     def test_in_response_to_default
-      assert_equal DEFAULTS.in_response_to, @scd.attributes["InResponseTo"]
+      assert_equal DEFAULTS.in_response_to, @scd["InResponseTo"]
     end
 
     def test_recipient_override
       recipient = "https://custom.example.com/acs"
       refute_equal recipient, DEFAULTS.recipient
       assertion = Assertion.new(recipient: recipient).document
-      subject = assertion.root.elements["saml:Subject"]
-      sc = subject.elements["saml:SubjectConfirmation"]
-      scd = sc.elements["saml:SubjectConfirmationData"]
-      assert_equal recipient, scd.attributes["Recipient"]
+      subject = assertion.root.at_xpath("saml:Subject", NS)
+      sc = subject.at_xpath("saml:SubjectConfirmation", NS)
+      scd = sc.at_xpath("saml:SubjectConfirmationData", NS)
+      assert_equal recipient, scd["Recipient"]
     end
 
     def test_in_response_to_override
       in_response_to = "_custom_request"
       refute_equal in_response_to, DEFAULTS.in_response_to
       assertion = Assertion.new(in_response_to: in_response_to).document
-      subject = assertion.root.elements["saml:Subject"]
-      sc = subject.elements["saml:SubjectConfirmation"]
-      scd = sc.elements["saml:SubjectConfirmationData"]
-      assert_equal in_response_to, scd.attributes["InResponseTo"]
+      subject = assertion.root.at_xpath("saml:Subject", NS)
+      sc = subject.at_xpath("saml:SubjectConfirmation", NS)
+      scd = sc.at_xpath("saml:SubjectConfirmationData", NS)
+      assert_equal in_response_to, scd["InResponseTo"]
     end
 
     def test_in_response_to_omitted_when_nil
       assertion = Assertion.new(in_response_to: nil).document
-      subject = assertion.root.elements["saml:Subject"]
-      sc = subject.elements["saml:SubjectConfirmation"]
-      scd = sc.elements["saml:SubjectConfirmationData"]
-      assert_nil scd.attributes["InResponseTo"]
+      subject = assertion.root.at_xpath("saml:Subject", NS)
+      sc = subject.at_xpath("saml:SubjectConfirmation", NS)
+      scd = sc.at_xpath("saml:SubjectConfirmationData", NS)
+      assert_nil scd["InResponseTo"]
     end
 
     def test_valid_for_override
       valid_for = 600 # 10 minutes
       refute_equal valid_for, DEFAULTS.valid_for
       assertion = Assertion.new(valid_for: valid_for).document
-      subject = assertion.root.elements["saml:Subject"]
-      sc = subject.elements["saml:SubjectConfirmation"]
-      scd = sc.elements["saml:SubjectConfirmationData"]
-      not_on_or_after = Time.iso8601(scd.attributes["NotOnOrAfter"])
+      subject = assertion.root.at_xpath("saml:Subject", NS)
+      sc = subject.at_xpath("saml:SubjectConfirmation", NS)
+      scd = sc.at_xpath("saml:SubjectConfirmationData", NS)
+      not_on_or_after = Time.iso8601(scd["NotOnOrAfter"])
       expected = Time.now.utc + valid_for
       assert_in_delta expected.to_i, not_on_or_after.to_i, 1
     end
 
     def test_conditions
       assert_equal "Conditions", @conditions.name
-      assert_equal "saml", @conditions.prefix
+      assert_equal "saml", @conditions.namespace.prefix
     end
 
     def test_conditions_not_before
-      not_before = Time.iso8601(@conditions.attributes["NotBefore"])
+      not_before = Time.iso8601(@conditions["NotBefore"])
       assert_in_delta Time.now.to_i, not_before.to_i, 1
     end
 
     def test_conditions_not_before_override
       not_before = Time.now.utc - 60
       assertion = Assertion.new(not_before: not_before).document
-      conditions = assertion.root.elements["saml:Conditions"]
-      assert_equal not_before.iso8601, conditions.attributes["NotBefore"]
+      conditions = assertion.root.at_xpath("saml:Conditions", NS)
+      assert_equal not_before.iso8601, conditions["NotBefore"]
     end
 
     def test_conditions_not_on_or_after
-      not_on_or_after = Time.iso8601(@conditions.attributes["NotOnOrAfter"])
+      not_on_or_after = Time.iso8601(@conditions["NotOnOrAfter"])
       expected = Time.now.utc + DEFAULTS.valid_for
       assert_in_delta expected.to_i, not_on_or_after.to_i, 1
     end
@@ -178,21 +191,21 @@ module Lyrebird
       valid_for = 600 # 10 minutes
       refute_equal valid_for, DEFAULTS.valid_for
       assertion = Assertion.new(valid_for: valid_for).document
-      conditions = assertion.root.elements["saml:Conditions"]
-      not_on_or_after = Time.iso8601(conditions.attributes["NotOnOrAfter"])
+      conditions = assertion.root.at_xpath("saml:Conditions", NS)
+      not_on_or_after = Time.iso8601(conditions["NotOnOrAfter"])
       expected = Time.now.utc + valid_for
       assert_in_delta expected.to_i, not_on_or_after.to_i, 1
     end
 
     def test_audience_restriction
       assert_equal "AudienceRestriction", @audience_restriction.name
-      assert_equal "saml", @audience_restriction.prefix
+      assert_equal "saml", @audience_restriction.namespace.prefix
     end
 
     def test_audience
-      audience = @audience_restriction.elements["saml:Audience"]
+      audience = @audience_restriction.at_xpath("saml:Audience", NS)
       assert_equal "Audience", audience.name
-      assert_equal "saml", audience.prefix
+      assert_equal "saml", audience.namespace.prefix
       assert_equal DEFAULTS.audience, audience.text
     end
 
@@ -200,36 +213,36 @@ module Lyrebird
       audience = "https://custom.sp.example.com"
       refute_equal audience, DEFAULTS.audience
       assertion = Assertion.new(audience: audience).document
-      conditions = assertion.root.elements["saml:Conditions"]
-      ar = conditions.elements["saml:AudienceRestriction"]
-      assert_equal audience, ar.elements["saml:Audience"].text
+      conditions = assertion.root.at_xpath("saml:Conditions", NS)
+      ar = conditions.at_xpath("saml:AudienceRestriction", NS)
+      assert_equal audience, ar.at_xpath("saml:Audience", NS).text
     end
 
     def test_authn_statement
       assert_equal "AuthnStatement", @authn_statement.name
-      assert_equal "saml", @authn_statement.prefix
+      assert_equal "saml", @authn_statement.namespace.prefix
     end
 
     def test_authn_statement_authn_instant
-      authn_instant = Time.iso8601(@authn_statement.attributes["AuthnInstant"])
+      authn_instant = Time.iso8601(@authn_statement["AuthnInstant"])
       assert_in_delta Time.now.to_i, authn_instant.to_i, 1
     end
 
     def test_authn_statement_session_index
-      assert @authn_statement.attributes["SessionIndex"].start_with?("_")
+      assert @authn_statement["SessionIndex"].start_with?("_")
     end
 
     def test_authn_context
-      authn_context = @authn_statement.elements["saml:AuthnContext"]
+      authn_context = @authn_statement.at_xpath("saml:AuthnContext", NS)
       assert_equal "AuthnContext", authn_context.name
-      assert_equal "saml", authn_context.prefix
+      assert_equal "saml", authn_context.namespace.prefix
     end
 
     def test_authn_context_class_ref
-      ac = @authn_statement.elements["saml:AuthnContext"]
-      class_ref = ac.elements["saml:AuthnContextClassRef"]
+      ac = @authn_statement.at_xpath("saml:AuthnContext", NS)
+      class_ref = ac.at_xpath("saml:AuthnContextClassRef", NS)
       assert_equal "AuthnContextClassRef", class_ref.name
-      assert_equal "saml", class_ref.prefix
+      assert_equal "saml", class_ref.namespace.prefix
       assert_equal DEFAULTS.authn_context, class_ref.text
     end
 
@@ -237,62 +250,68 @@ module Lyrebird
       custom_ref = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
       refute_equal custom_ref, DEFAULTS.authn_context
       assertion = Assertion.new(authn_context: custom_ref).document
-      as = assertion.root.elements["saml:AuthnStatement"]
-      ac = as.elements["saml:AuthnContext"]
-      class_ref = ac.elements["saml:AuthnContextClassRef"]
+      as = assertion.root.at_xpath("saml:AuthnStatement", NS)
+      ac = as.at_xpath("saml:AuthnContext", NS)
+      class_ref = ac.at_xpath("saml:AuthnContextClassRef", NS)
       assert_equal custom_ref, class_ref.text
     end
 
     def test_default_attributes
-      as = @root.elements["saml:AttributeStatement"]
-      attrs = as.elements.to_a("saml:Attribute")
+      as = @root.at_xpath("saml:AttributeStatement", NS)
+      attrs = as.xpath("saml:Attribute", NS)
       assert_equal 2, attrs.size
 
-      first = attrs.find { |a| a.attributes["Name"] == "first_name" }
-      assert_equal "Test", first.elements["saml:AttributeValue"].text
+      first = attrs.find { |a| a["Name"] == "first_name" }
+      assert_equal "Test", first.at_xpath("saml:AttributeValue", NS).text
 
-      last = attrs.find { |a| a.attributes["Name"] == "last_name" }
-      assert_equal "User", last.elements["saml:AttributeValue"].text
+      last = attrs.find { |a| a["Name"] == "last_name" }
+      assert_equal "User", last.at_xpath("saml:AttributeValue", NS).text
     end
 
     def test_no_attribute_statement_when_empty
       assertion = Assertion.new(attributes: {}).document
-      assert_nil assertion.root.elements["saml:AttributeStatement"]
+      assert_nil assertion.root.at_xpath("saml:AttributeStatement", NS)
     end
 
     def test_attribute_statement_with_single_value
       attributes = { "email" => "user@example.com" }
       assertion = Assertion.new(attributes: attributes).document
-      as = assertion.root.elements["saml:AttributeStatement"]
+      as = assertion.root.at_xpath("saml:AttributeStatement", NS)
       assert_equal "AttributeStatement", as.name
-      assert_equal "saml", as.prefix
+      assert_equal "saml", as.namespace.prefix
     end
 
     def test_attribute_name_and_format
       attributes = { "email" => "user@example.com" }
       assertion = Assertion.new(attributes: attributes).document
-      attr = assertion.root.elements["saml:AttributeStatement/saml:Attribute"]
+      path = "saml:AttributeStatement/saml:Attribute"
+      attr = assertion.root.at_xpath(path, NS)
+
       assert_equal "Attribute", attr.name
-      assert_equal "saml", attr.prefix
-      assert_equal "email", attr.attributes["Name"]
-      assert_equal ATTR_NAME_FORMAT, attr.attributes["NameFormat"]
+      assert_equal "saml", attr.namespace.prefix
+      assert_equal "email", attr["Name"]
+      assert_equal ATTR_NAME_FORMAT, attr["NameFormat"]
     end
 
     def test_attribute_single_value
       attributes = { "email" => "user@example.com" }
       assertion = Assertion.new(attributes: attributes).document
-      attr = assertion.root.elements["saml:AttributeStatement/saml:Attribute"]
-      value = attr.elements["saml:AttributeValue"]
+      path = "saml:AttributeStatement/saml:Attribute"
+      attr = assertion.root.at_xpath(path, NS)
+      value = attr.at_xpath("saml:AttributeValue", NS)
+
       assert_equal "AttributeValue", value.name
-      assert_equal "saml", value.prefix
+      assert_equal "saml", value.namespace.prefix
       assert_equal "user@example.com", value.text
     end
 
     def test_attribute_multi_value
       attributes = { "groups" => ["admin", "users", "developers"] }
       assertion = Assertion.new(attributes: attributes).document
-      attr = assertion.root.elements["saml:AttributeStatement/saml:Attribute"]
-      values = attr.elements.to_a("saml:AttributeValue")
+      path = "saml:AttributeStatement/saml:Attribute"
+      attr = assertion.root.at_xpath(path, NS)
+      values = attr.xpath("saml:AttributeValue", NS)
+
       assert_equal 3, values.size
       assert_equal "admin", values[0].text
       assert_equal "users", values[1].text
@@ -307,20 +326,20 @@ module Lyrebird
       }
 
       assertion = Assertion.new(attributes: attributes).document
-      as = assertion.root.elements["saml:AttributeStatement"]
-      attrs = as.elements.to_a("saml:Attribute")
+      as = assertion.root.at_xpath("saml:AttributeStatement", NS)
+      attrs = as.xpath("saml:Attribute", NS)
       assert_equal 3, attrs.size
 
-      email_attr = attrs.find { |a| a.attributes["Name"] == "email" }
-      email_value = email_attr.elements["saml:AttributeValue"].text
+      email_attr = attrs.find { |a| a["Name"] == "email" }
+      email_value = email_attr.at_xpath("saml:AttributeValue", NS).text
       assert_equal "user@example.com", email_value
 
-      name_attr = attrs.find { |a| a.attributes["Name"] == "name" }
-      name_value = name_attr.elements["saml:AttributeValue"].text
+      name_attr = attrs.find { |a| a["Name"] == "name" }
+      name_value = name_attr.at_xpath("saml:AttributeValue", NS).text
       assert_equal "Test User", name_value
 
-      groups_attr = attrs.find { |a| a.attributes["Name"] == "groups" }
-      group_values = groups_attr.elements.to_a("saml:AttributeValue")
+      groups_attr = attrs.find { |a| a["Name"] == "groups" }
+      group_values = groups_attr.xpath("saml:AttributeValue", NS)
       assert_equal 2, group_values.size
       assert_equal "admin", group_values[0].text
       assert_equal "users", group_values[1].text