package org.rapidoid.http.handler;

import java.util.Collections;
import java.util.Set;
import org.rapidoid.RapidoidThing;
import org.rapidoid.ctx.Ctxs;
import org.rapidoid.ctx.UserInfo;
import org.rapidoid.http.HttpUtils;
import org.rapidoid.http.HttpWrapper;
import org.rapidoid.http.Req;
import org.rapidoid.http.customize.Customization;
import org.rapidoid.security.Secure;
import org.rapidoid.u.U;
import org.rapidoid.util.TokenAuthData;

/* loaded from: input_file:org/rapidoid/http/handler/HttpAuthWrapper.class */
public class HttpAuthWrapper extends RapidoidThing implements HttpWrapper {
    private final Set<String> requiredRoles;

    public HttpAuthWrapper(Set<String> set) {
        this.requiredRoles = set;
    }

    @Override // org.rapidoid.http.HttpWrapper
    public Object wrap(Req req, HandlerInvocation handlerInvocation) throws Exception {
        TokenAuthData auth = HttpUtils.getAuth(req);
        String str = auth != null ? auth.user : null;
        if (U.isEmpty(str)) {
            HttpUtils.clearUserData(req);
        }
        Set<String> userRoles = userRoles(req, str);
        Set set = auth != null ? auth.scope : null;
        if (U.notEmpty(this.requiredRoles) && !Secure.hasAnyRole(str, userRoles, this.requiredRoles)) {
            throw new SecurityException("The user doesn't have the required roles!");
        }
        Ctxs.required().setUser(new UserInfo(str, userRoles, set));
        return handlerInvocation.invoke();
    }

    private Set<String> userRoles(Req req, String str) {
        if (str == null) {
            return Collections.emptySet();
        }
        try {
            return Customization.of(req).rolesProvider().getRolesForUser(req, str);
        } catch (Exception e) {
            throw U.rte(e);
        }
    }
}
