package org.apache.wss4j.policy.stax.enforcer;

import java.util.Deque;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.xml.namespace.QName;
import org.apache.neethi.Assertion;
import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyComponent;
import org.apache.neethi.PolicyContainingAssertion;
import org.apache.neethi.PolicyOperator;
import org.apache.neethi.builders.PrimitiveAssertion;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.model.ContentEncryptedElements;
import org.apache.wss4j.policy.model.EncryptedElements;
import org.apache.wss4j.policy.model.EncryptedParts;
import org.apache.wss4j.policy.model.HttpsToken;
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.KerberosToken;
import org.apache.wss4j.policy.model.KeyValueToken;
import org.apache.wss4j.policy.model.Layout;
import org.apache.wss4j.policy.model.RelToken;
import org.apache.wss4j.policy.model.RequiredElements;
import org.apache.wss4j.policy.model.RequiredParts;
import org.apache.wss4j.policy.model.SamlToken;
import org.apache.wss4j.policy.model.SecureConversationToken;
import org.apache.wss4j.policy.model.SecurityContextToken;
import org.apache.wss4j.policy.model.SignedElements;
import org.apache.wss4j.policy.model.SignedParts;
import org.apache.wss4j.policy.model.SpnegoContextToken;
import org.apache.wss4j.policy.model.SupportingTokens;
import org.apache.wss4j.policy.model.Trust10;
import org.apache.wss4j.policy.model.Trust13;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.Wss10;
import org.apache.wss4j.policy.model.Wss11;
import org.apache.wss4j.policy.model.X509Token;
import org.apache.wss4j.policy.stax.Assertable;
import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
import org.apache.wss4j.policy.stax.OperationPolicy;
import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.policy.stax.PolicyViolationException;
import org.apache.wss4j.policy.stax.assertionStates.AlgorithmSuiteAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.ContentEncryptedElementsAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.EncryptedElementsAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.EncryptedPartsAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.HttpsTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.IncludeTimeStampAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.IssuedTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.KerberosTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.KeyValueTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.OnlySignEntireHeadersAndBodyAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.ProtectionOrderAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.RelTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.RequiredElementsAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.RequiredPartsAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.SamlTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.SecureConversationTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.SecurityContextTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.SignatureConfirmationAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.SignatureProtectionAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.SignedElementsAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.SignedPartsAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.SpnegoContextTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.TokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.TokenProtectionAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.UsernameTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.X509TokenAssertionState;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.securityEvent.NoSecuritySecurityEvent;
import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/wss4j/policy/stax/enforcer/PolicyEnforcer.class */
public class PolicyEnforcer implements SecurityEventListener {
    private static final transient Logger LOG = LoggerFactory.getLogger((Class<?>) PolicyEnforcer.class);
    private static final QName SOAP11_FAULT = new QName("http://schemas.xmlsoap.org/soap/envelope/", "Fault");
    private static final QName SOAP12_FAULT = new QName("http://www.w3.org/2003/05/soap-envelope", "Fault");
    private final List<OperationPolicy> operationPolicies;
    private OperationPolicy effectivePolicy;
    private boolean initiator;
    private String actorOrRole;
    private int attachmentCount;
    private boolean noSecurityHeader;
    private boolean faultOccurred;
    private final PolicyAsserter policyAsserter;
    private boolean soap12;
    private final Deque<SecurityEvent> securityEventQueue = new LinkedList();
    private boolean operationSecurityEventOccured = false;
    private final List<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> assertionStateMap = new LinkedList();
    private final List<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> failedAssertionStateMap = new LinkedList();

    public PolicyEnforcer(List<OperationPolicy> list, String str, boolean z, String str2, int i, PolicyAsserter policyAsserter, boolean z2) throws WSSPolicyException {
        this.operationPolicies = list;
        this.initiator = z;
        this.actorOrRole = str2;
        this.attachmentCount = i;
        this.soap12 = z2;
        if (policyAsserter == null) {
            this.policyAsserter = new DummyPolicyAsserter();
        } else {
            this.policyAsserter = policyAsserter;
        }
        if (str == null || str.isEmpty()) {
            return;
        }
        this.effectivePolicy = findPolicyBySOAPAction(list, str);
        if (this.effectivePolicy != null) {
            buildAssertionStateMap(this.effectivePolicy.getPolicy(), this.assertionStateMap);
        }
    }

    private OperationPolicy findPolicyBySOAPAction(List<OperationPolicy> list, String str) {
        for (OperationPolicy operationPolicy : list) {
            if (str.equals(operationPolicy.getOperationAction())) {
                return operationPolicy;
            }
        }
        return null;
    }

    private OperationPolicy findPolicyBySOAPOperationName(List<OperationPolicy> list, QName qName) {
        OperationPolicy operationPolicy = null;
        for (OperationPolicy operationPolicy2 : list) {
            QName operationName = operationPolicy2.getOperationName();
            if (operationName != null) {
                if (qName.equals(operationName)) {
                    return operationPolicy2;
                }
                if (operationName.getNamespaceURI() == null || operationName.getNamespaceURI().length() == 0) {
                    if (qName.getLocalPart().equals(operationName.getLocalPart())) {
                        operationPolicy = operationPolicy2;
                    }
                }
            }
        }
        return operationPolicy;
    }

    private void buildAssertionStateMap(PolicyComponent policyComponent, List<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> list) throws WSSPolicyException {
        if (!(policyComponent instanceof PolicyOperator)) {
            throw new WSSPolicyException("Invalid PolicyComponent: " + policyComponent + " " + ((int) policyComponent.getType()));
        }
        PolicyOperator policyOperator = (PolicyOperator) policyComponent;
        int i = 0;
        for (PolicyComponent policyComponent2 : policyOperator.getPolicyComponents()) {
            if (policyOperator instanceof ExactlyOne) {
                list.add(new HashMap());
                int i2 = i;
                i++;
                buildAssertionStateMap(policyComponent2, list, i2);
            } else {
                buildAssertionStateMap(policyComponent2, list);
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void buildAssertionStateMap(PolicyComponent policyComponent, List<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> list, int i) throws WSSPolicyException {
        if (policyComponent instanceof PolicyOperator) {
            Iterator<PolicyComponent> it = ((PolicyOperator) policyComponent).getPolicyComponents().iterator();
            while (it.hasNext()) {
                buildAssertionStateMap(it.next(), list, i);
            }
            return;
        }
        if (!(policyComponent instanceof AbstractSecurityAssertion)) {
            if (!(policyComponent instanceof PrimitiveAssertion)) {
                throw new WSSPolicyException("Unsupported PolicyComponent: " + policyComponent + " type: " + ((int) policyComponent.getType()));
            }
            return;
        }
        AbstractSecurityAssertion abstractSecurityAssertion = (AbstractSecurityAssertion) policyComponent;
        for (Assertable assertable : getAssertableForAssertion(abstractSecurityAssertion)) {
            Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>> map = list.get(i);
            for (SecurityEventConstants.Event event : assertable.getSecurityEventType()) {
                Map<Assertion, List<Assertable>> map2 = map.get(event);
                if (map2 == null) {
                    map2 = new HashMap<>();
                    map.put(event, map2);
                }
                addAssertionState(map2, abstractSecurityAssertion, assertable);
            }
        }
        if (abstractSecurityAssertion instanceof PolicyContainingAssertion) {
            buildAssertionStateMap(((PolicyContainingAssertion) abstractSecurityAssertion).getPolicy(), list, i);
        }
    }

    private void addAssertionState(Map<Assertion, List<Assertable>> map, Assertion assertion, Assertable assertable) {
        List<Assertable> list = map.get(assertion);
        if (list == null) {
            list = new LinkedList();
            map.put(assertion, list);
        }
        list.add(assertable);
    }

    private boolean isTokenRequired(AbstractToken abstractToken) {
        SPConstants.IncludeTokenType includeTokenType = abstractToken.getIncludeTokenType();
        if (includeTokenType == SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER) {
            return false;
        }
        if (this.initiator && includeTokenType == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT) {
            return false;
        }
        if (this.initiator && includeTokenType == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE) {
            return false;
        }
        return this.initiator || includeTokenType != SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR;
    }

    protected List<Assertable> getAssertableForAssertion(AbstractSecurityAssertion abstractSecurityAssertion) throws WSSPolicyException {
        LinkedList linkedList = new LinkedList();
        boolean z = true;
        if (abstractSecurityAssertion instanceof AbstractToken) {
            z = isTokenRequired((AbstractToken) abstractSecurityAssertion);
        }
        if (abstractSecurityAssertion instanceof ContentEncryptedElements) {
            linkedList.add(new ContentEncryptedElementsAssertionState(abstractSecurityAssertion, this.policyAsserter, true));
        } else if (abstractSecurityAssertion instanceof EncryptedParts) {
            linkedList.add(new EncryptedPartsAssertionState(abstractSecurityAssertion, this.policyAsserter, true, this.attachmentCount, this.soap12));
        } else if (abstractSecurityAssertion instanceof EncryptedElements) {
            linkedList.add(new EncryptedElementsAssertionState(abstractSecurityAssertion, this.policyAsserter, true));
        } else if (abstractSecurityAssertion instanceof SignedParts) {
            linkedList.add(new SignedPartsAssertionState(abstractSecurityAssertion, this.policyAsserter, true, this.attachmentCount, this.soap12));
        } else if (abstractSecurityAssertion instanceof SignedElements) {
            linkedList.add(new SignedElementsAssertionState(abstractSecurityAssertion, this.policyAsserter, true));
        } else if (abstractSecurityAssertion instanceof RequiredElements) {
            linkedList.add(new RequiredElementsAssertionState(abstractSecurityAssertion, this.policyAsserter, false));
        } else if (abstractSecurityAssertion instanceof RequiredParts) {
            linkedList.add(new RequiredPartsAssertionState(abstractSecurityAssertion, this.policyAsserter, false, this.soap12));
        } else if (abstractSecurityAssertion instanceof UsernameToken) {
            linkedList.add(new UsernameTokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof IssuedToken) {
            linkedList.add(new IssuedTokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof X509Token) {
            linkedList.add(new X509TokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof KerberosToken) {
            linkedList.add(new KerberosTokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof SpnegoContextToken) {
            linkedList.add(new SpnegoContextTokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof SecureConversationToken) {
            linkedList.add(new SecureConversationTokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof SecurityContextToken) {
            linkedList.add(new SecurityContextTokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof SamlToken) {
            linkedList.add(new SamlTokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof RelToken) {
            linkedList.add(new RelTokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof HttpsToken) {
            linkedList.add(new HttpsTokenAssertionState(abstractSecurityAssertion, !z || this.initiator, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof KeyValueToken) {
            linkedList.add(new KeyValueTokenAssertionState(abstractSecurityAssertion, !z, this.policyAsserter, this.initiator));
        } else if (abstractSecurityAssertion instanceof AlgorithmSuite) {
            linkedList.add(new AlgorithmSuiteAssertionState(abstractSecurityAssertion, this.policyAsserter, true));
        } else if (abstractSecurityAssertion instanceof Layout) {
            String namespaceURI = abstractSecurityAssertion.getName().getNamespaceURI();
            this.policyAsserter.assertPolicy(new QName(namespaceURI, SPConstants.LAYOUT_LAX));
            this.policyAsserter.assertPolicy(new QName(namespaceURI, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST));
            this.policyAsserter.assertPolicy(new QName(namespaceURI, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST));
            this.policyAsserter.assertPolicy(new QName(namespaceURI, SPConstants.LAYOUT_STRICT));
            this.policyAsserter.assertPolicy(abstractSecurityAssertion);
        } else if (abstractSecurityAssertion instanceof AbstractBinding) {
            this.policyAsserter.assertPolicy(abstractSecurityAssertion);
            AbstractBinding abstractBinding = (AbstractBinding) abstractSecurityAssertion;
            if (abstractBinding instanceof AbstractSymmetricAsymmetricBinding) {
                AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) abstractSecurityAssertion;
                linkedList.add(new ProtectionOrderAssertionState(abstractSymmetricAsymmetricBinding, this.policyAsserter, true));
                linkedList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding, this.policyAsserter, true));
                if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()) {
                    linkedList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, this.policyAsserter, true, this.actorOrRole));
                }
                linkedList.add(new TokenProtectionAssertionState(abstractSecurityAssertion, this.policyAsserter, true, this.soap12));
            }
            linkedList.add(new IncludeTimeStampAssertionState(abstractBinding, this.policyAsserter, true));
            if (abstractBinding.isIncludeTimestamp()) {
                LinkedList linkedList2 = new LinkedList();
                if (this.soap12) {
                    linkedList2.addAll(WSSConstants.SOAP_12_WSSE_SECURITY_HEADER_PATH);
                } else {
                    linkedList2.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
                }
                linkedList2.add(WSSConstants.TAG_WSU_TIMESTAMP);
                RequiredElementsAssertionState requiredElementsAssertionState = new RequiredElementsAssertionState(abstractBinding, this.policyAsserter, false);
                requiredElementsAssertionState.addElement(linkedList2);
                linkedList.add(requiredElementsAssertionState);
                SignedElementsAssertionState signedElementsAssertionState = new SignedElementsAssertionState(abstractSecurityAssertion, this.policyAsserter, true);
                signedElementsAssertionState.addElement(linkedList2);
                linkedList.add(signedElementsAssertionState);
            }
        } else if (abstractSecurityAssertion instanceof Wss10) {
            Wss10 wss10 = (Wss10) abstractSecurityAssertion;
            String namespaceURI2 = wss10.getName().getNamespaceURI();
            this.policyAsserter.assertPolicy(abstractSecurityAssertion);
            if (wss10.isMustSupportRefEmbeddedToken()) {
                this.policyAsserter.assertPolicy(new QName(namespaceURI2, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN));
            }
            if (wss10.isMustSupportRefExternalURI()) {
                this.policyAsserter.assertPolicy(new QName(namespaceURI2, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI));
            }
            if (wss10.isMustSupportRefIssuerSerial()) {
                this.policyAsserter.assertPolicy(new QName(namespaceURI2, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL));
            }
            if (wss10.isMustSupportRefKeyIdentifier()) {
                this.policyAsserter.assertPolicy(new QName(namespaceURI2, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER));
            }
            if (abstractSecurityAssertion instanceof Wss11) {
                Wss11 wss11 = (Wss11) abstractSecurityAssertion;
                if (wss11.isMustSupportRefEncryptedKey()) {
                    this.policyAsserter.assertPolicy(new QName(namespaceURI2, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY));
                }
                if (wss11.isMustSupportRefThumbprint()) {
                    this.policyAsserter.assertPolicy(new QName(namespaceURI2, SPConstants.MUST_SUPPORT_REF_THUMBPRINT));
                }
                if (wss11.isRequireSignatureConfirmation()) {
                    linkedList.add(new SignatureConfirmationAssertionState(wss11, this.policyAsserter, true));
                    if (this.initiator) {
                        LinkedList linkedList3 = new LinkedList();
                        if (this.soap12) {
                            linkedList3.addAll(WSSConstants.SOAP_12_WSSE_SECURITY_HEADER_PATH);
                        } else {
                            linkedList3.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
                        }
                        linkedList3.add(WSSConstants.TAG_WSSE11_SIG_CONF);
                        RequiredElementsAssertionState requiredElementsAssertionState2 = new RequiredElementsAssertionState(wss11, this.policyAsserter, false);
                        requiredElementsAssertionState2.addElement(linkedList3);
                        linkedList.add(requiredElementsAssertionState2);
                        SignedElementsAssertionState signedElementsAssertionState2 = new SignedElementsAssertionState(wss11, this.policyAsserter, true);
                        signedElementsAssertionState2.addElement(linkedList3);
                        linkedList.add(signedElementsAssertionState2);
                    }
                }
            }
        } else if (abstractSecurityAssertion instanceof Trust10) {
            Trust10 trust10 = (Trust10) abstractSecurityAssertion;
            String namespaceURI3 = trust10.getName().getNamespaceURI();
            this.policyAsserter.assertPolicy(abstractSecurityAssertion);
            if (trust10.isMustSupportClientChallenge()) {
                this.policyAsserter.assertPolicy(new QName(namespaceURI3, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE));
            }
            if (trust10.isMustSupportIssuedTokens()) {
                this.policyAsserter.assertPolicy(new QName(namespaceURI3, SPConstants.MUST_SUPPORT_ISSUED_TOKENS));
            }
            if (trust10.isMustSupportServerChallenge()) {
                this.policyAsserter.assertPolicy(new QName(namespaceURI3, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE));
            }
            if (trust10.isRequireClientEntropy()) {
                this.policyAsserter.assertPolicy(new QName(namespaceURI3, SPConstants.REQUIRE_CLIENT_ENTROPY));
            }
            if (trust10.isRequireServerEntropy()) {
                this.policyAsserter.assertPolicy(new QName(namespaceURI3, SPConstants.REQUIRE_SERVER_ENTROPY));
            }
            if (trust10 instanceof Trust13) {
                Trust13 trust13 = (Trust13) trust10;
                if (trust13.isMustSupportInteractiveChallenge()) {
                    this.policyAsserter.assertPolicy(new QName(namespaceURI3, SPConstants.MUST_SUPPORT_INTERACTIVE_CHALLENGE));
                }
                if (trust13.isRequireAppliesTo()) {
                    this.policyAsserter.assertPolicy(new QName(namespaceURI3, SPConstants.REQUIRE_APPLIES_TO));
                }
                if (trust13.isRequireRequestSecurityTokenCollection()) {
                    this.policyAsserter.assertPolicy(new QName(namespaceURI3, SPConstants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION));
                }
                if (trust13.isScopePolicy15()) {
                    this.policyAsserter.assertPolicy(new QName(namespaceURI3, SPConstants.SCOPE_POLICY_15));
                }
            }
        } else {
            this.policyAsserter.assertPolicy(abstractSecurityAssertion);
        }
        return linkedList;
    }

    private void verifyPolicy(SecurityEvent securityEvent) throws WSSPolicyException, XMLSecurityException {
        if (!this.failedAssertionStateMap.isEmpty()) {
            Iterator<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> it = this.failedAssertionStateMap.iterator();
            while (it.hasNext()) {
                Map<Assertion, List<Assertable>> map = it.next().get(securityEvent.getSecurityEventType());
                if (map != null && !map.isEmpty()) {
                    Iterator<Map.Entry<Assertion, List<Assertable>>> it2 = map.entrySet().iterator();
                    while (it2.hasNext()) {
                        Iterator<Assertable> it3 = it2.next().getValue().iterator();
                        while (it3.hasNext()) {
                            if (!it3.next().assertEvent(securityEvent)) {
                                break;
                            }
                        }
                    }
                }
            }
        }
        String str = null;
        Iterator<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> it4 = this.assertionStateMap.iterator();
        while (it4.hasNext()) {
            Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>> next = it4.next();
            Map<Assertion, List<Assertable>> map2 = next.get(securityEvent.getSecurityEventType());
            if (map2 != null && !map2.isEmpty()) {
                Iterator<Map.Entry<Assertion, List<Assertable>>> it5 = map2.entrySet().iterator();
                while (true) {
                    if (it5.hasNext()) {
                        for (Assertable assertable : it5.next().getValue()) {
                            if (!assertable.assertEvent(securityEvent)) {
                                str = assertable.getErrorMessage();
                                this.failedAssertionStateMap.add(next);
                                it4.remove();
                                break;
                            }
                        }
                    }
                }
            }
        }
        if (this.assertionStateMap.isEmpty()) {
            if (this.faultOccurred && this.noSecurityHeader && this.initiator) {
                return;
            }
            logFailedAssertions();
            throw new PolicyViolationException(str);
        }
    }

    private void verifyPolicy() throws WSSPolicyException {
        String str = null;
        Iterator<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> it = this.assertionStateMap.iterator();
        while (it.hasNext()) {
            Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>> next = it.next();
            Iterator<Map.Entry<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> it2 = next.entrySet().iterator();
            while (true) {
                if (it2.hasNext()) {
                    Iterator<Map.Entry<Assertion, List<Assertable>>> it3 = it2.next().getValue().entrySet().iterator();
                    while (it3.hasNext()) {
                        for (Assertable assertable : it3.next().getValue()) {
                            if (!assertable.isAsserted()) {
                                str = assertable.getErrorMessage();
                                this.failedAssertionStateMap.add(next);
                                it.remove();
                                break;
                            }
                        }
                    }
                }
            }
        }
        if (this.assertionStateMap.isEmpty()) {
            if (this.faultOccurred && this.noSecurityHeader && this.initiator) {
                return;
            }
            logFailedAssertions();
            throw new WSSPolicyException(str);
        }
    }

    private void verifyPolicyAfterOperationSecurityEvent() throws WSSPolicyException {
        String str = null;
        Iterator<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> it = this.assertionStateMap.iterator();
        while (it.hasNext()) {
            Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>> next = it.next();
            Iterator<Map.Entry<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> it2 = next.entrySet().iterator();
            while (true) {
                if (it2.hasNext()) {
                    Iterator<Map.Entry<Assertion, List<Assertable>>> it3 = it2.next().getValue().entrySet().iterator();
                    while (it3.hasNext()) {
                        for (Assertable assertable : it3.next().getValue()) {
                            boolean z = false;
                            if (assertable instanceof TokenAssertionState) {
                                if ((((AbstractToken) ((TokenAssertionState) assertable).getAssertion()).getParentAssertion() instanceof SupportingTokens) || (assertable instanceof HttpsTokenAssertionState) || (assertable instanceof RelTokenAssertionState) || (assertable instanceof SecurityContextTokenAssertionState) || (assertable instanceof SpnegoContextTokenAssertionState) || (assertable instanceof UsernameTokenAssertionState)) {
                                    z = true;
                                }
                            } else if ((assertable instanceof TokenProtectionAssertionState) || (assertable instanceof SignatureConfirmationAssertionState) || (assertable instanceof IncludeTimeStampAssertionState) || (assertable instanceof RequiredPartsAssertionState) || (assertable instanceof SignatureProtectionAssertionState)) {
                                z = true;
                            }
                            if (z || assertable.isHardFailure()) {
                                if (!assertable.isAsserted()) {
                                    str = assertable.getErrorMessage();
                                    this.failedAssertionStateMap.add(next);
                                    it.remove();
                                    break;
                                }
                            }
                        }
                    }
                }
            }
        }
        if (this.assertionStateMap.isEmpty()) {
            if (this.faultOccurred && this.noSecurityHeader && this.initiator) {
                return;
            }
            logFailedAssertions();
            throw new WSSPolicyException(str);
        }
    }

    private void logFailedAssertions() {
        if (this.failedAssertionStateMap.isEmpty()) {
            return;
        }
        Iterator<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> it = this.failedAssertionStateMap.iterator();
        while (it.hasNext()) {
            Iterator<Map.Entry<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>> it2 = it.next().entrySet().iterator();
            while (it2.hasNext()) {
                for (Map.Entry<Assertion, List<Assertable>> entry : it2.next().getValue().entrySet()) {
                    for (Assertable assertable : entry.getValue()) {
                        if (!assertable.isAsserted() && !assertable.isLogged()) {
                            LOG.error(entry.getKey().getName() + " not satisfied: " + assertable.getErrorMessage());
                            assertable.setLogged(true);
                        }
                    }
                }
            }
        }
    }

    @Override // org.apache.xml.security.stax.securityEvent.SecurityEventListener
    public synchronized void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
        if (!this.noSecurityHeader && (securityEvent instanceof NoSecuritySecurityEvent)) {
            this.noSecurityHeader = true;
        }
        if (this.operationSecurityEventOccured) {
            try {
                verifyPolicy(securityEvent);
            } catch (WSSPolicyException | XMLSecurityException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
            }
        }
        if (!WSSecurityEventConstants.OPERATION.equals(securityEvent.getSecurityEventType())) {
            this.securityEventQueue.push(securityEvent);
            return;
        }
        this.operationSecurityEventOccured = true;
        OperationSecurityEvent operationSecurityEvent = (OperationSecurityEvent) securityEvent;
        if (!this.faultOccurred && (SOAP11_FAULT.equals(operationSecurityEvent.getOperation()) || SOAP12_FAULT.equals(operationSecurityEvent.getOperation()))) {
            this.faultOccurred = true;
        }
        if (this.effectivePolicy == null) {
            this.effectivePolicy = findPolicyBySOAPOperationName(this.operationPolicies, operationSecurityEvent.getOperation());
            if (this.effectivePolicy == null) {
                this.effectivePolicy = new OperationPolicy(new QName(null, "NoPolicyFoundForOperation"));
                this.effectivePolicy.setPolicy(new Policy());
            }
            try {
                buildAssertionStateMap(this.effectivePolicy.getPolicy(), this.assertionStateMap);
            } catch (WSSPolicyException e2) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e2);
            }
        }
        try {
            Iterator<SecurityEvent> descendingIterator = this.securityEventQueue.descendingIterator();
            while (descendingIterator.hasNext()) {
                verifyPolicy(descendingIterator.next());
            }
            verifyPolicy(securityEvent);
            verifyPolicyAfterOperationSecurityEvent();
            this.securityEventQueue.clear();
        } catch (WSSPolicyException | XMLSecurityException e3) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e3);
        }
    }

    public void doFinal() throws WSSPolicyException {
        verifyPolicy();
    }
}
