@@ -52,6 +52,7 @@ impl TryFrom<&str> for RelyingPartyId {
5252 return Err ( Error :: EmptyRelyingPartyId ) ;
5353 }
5454
55+ // Check for IP addresses (both IPv4 and IPv6)
5556 if value. parse :: < IpAddr > ( ) . is_ok ( ) {
5657 return Err ( Error :: IpAddressNotAllowed ( value. to_string ( ) ) ) ;
5758 }
@@ -128,9 +129,46 @@ mod tests {
128129 }
129130
130131 #[ test]
131- fn test_relying_party_id_rejects_ip_address ( ) {
132- let result = RelyingPartyId :: try_from ( "127.0.0.1" ) ;
133- assert ! ( matches!( result, Err ( Error :: IpAddressNotAllowed ( _) ) ) ) ;
132+ fn test_relying_party_id_rejects_ipv4_address ( ) {
133+ let ipv4_addresses = [ "127.0.0.1" , "192.168.1.1" , "10.0.0.1" , "255.255.255.255" ] ;
134+ for ip in ipv4_addresses {
135+ let result = RelyingPartyId :: try_from ( ip) ;
136+ assert ! (
137+ matches!( result, Err ( Error :: IpAddressNotAllowed ( _) ) ) ,
138+ "Expected IPv4 address '{}' to be rejected" ,
139+ ip
140+ ) ;
141+ }
142+ }
143+
144+ #[ test]
145+ fn test_relying_party_id_rejects_ipv6_address ( ) {
146+ // Unbracketed format - must be rejected as IP address
147+ let ipv6_addresses = [ "::1" , "2001:db8::1" , "fe80::1" , "::ffff:192.168.1.1" ] ;
148+ for ip in ipv6_addresses {
149+ let result = RelyingPartyId :: try_from ( ip) ;
150+ assert ! (
151+ matches!( result, Err ( Error :: IpAddressNotAllowed ( _) ) ) ,
152+ "Expected IPv6 address '{}' to be rejected as IP address" ,
153+ ip
154+ ) ;
155+ }
156+
157+ // Bracketed format (RFC 2732) - must be rejected (either as IP or invalid domain)
158+ let bracketed_ipv6 = [
159+ "[::1]" ,
160+ "[2001:db8::1]" ,
161+ "[fe80::1]" ,
162+ "[::ffff:192.168.1.1]" ,
163+ ] ;
164+ for ip in bracketed_ipv6 {
165+ let result = RelyingPartyId :: try_from ( ip) ;
166+ assert ! (
167+ result. is_err( ) ,
168+ "Expected bracketed IPv6 address '{}' to be rejected" ,
169+ ip
170+ ) ;
171+ }
134172 }
135173
136174 #[ test]
0 commit comments