}
    }
  }

  @ExperimentalOkHttpApi
  companion object {
    private const val CLIENT_AUTH_NONE = 0
    private const val CLIENT_AUTH_REQUESTED = 1
    private const val CLIENT_AUTH_REQUIRED = 2

    private val UNTRUSTED_TRUST_MANAGER =
      object : X509TrustManager {
        @Throws(CertificateException::class)

    val responseCode = userResponse.code

    val method = userResponse.request.method
    when (responseCode) {
      HTTP_PROXY_AUTH -> {
        val selectedProxy = route!!.proxy
        if (selectedProxy.type() != Proxy.Type.HTTP) {
          throw ProtocolException("Received HTTP_PROXY_AUTH (407) code while not using proxy")
        }
        return client.proxyAuthenticator.authenticate(route, userResponse)
      }

import javax.net.ssl.SSLException
import javax.net.ssl.SSLHandshakeException
import javax.net.ssl.SSLPeerUnverifiedException
import javax.net.ssl.SSLSocketFactory
import javax.net.ssl.TrustManager
import javax.security.auth.x500.X500Principal
import kotlin.test.assertFailsWith
import mockwebserver3.MockResponse
import mockwebserver3.MockWebServer
import okhttp3.OkHttpClient
import okhttp3.OkHttpClientTestRule

 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package okhttp3.internal.tls

import java.security.cert.X509Certificate
import javax.security.auth.x500.X500Principal

/** A simple index that of trusted root certificates that have been loaded into memory. */
class BasicTrustRootIndex(vararg caCerts: X509Certificate) : TrustRootIndex {

   * This avoids sending potentially sensitive data like HTTP cookies to the proxy unencrypted.
   *
   * In order to support preemptive authentication we pass a fake "Auth Failed" response to the
   * authenticator. This gives the authenticator the option to customize the CONNECT request. It can
   * decline to do so by returning null, in which case OkHttp will use it as-is.
   */

      "RequestHeadersEnd", "ResponseHeadersStart", "ResponseHeadersEnd", "ResponseBodyStart",
      "ResponseBodyEnd", "ConnectionReleased", "CallEnd", "RequestFailed",
    )
  }

  /**
   * Auth requires follow-ups. Unlike redirects, the auth follow-up also has a request body. This
   * test makes a single call with two duplex requests!
   */
  @Test
  fun duplexWithAuthChallenge() {
    enableProtocol(Protocol.HTTP_2)

      MockResponse(body = "Successful auth!"),
    )
    val credential = basic("username", "password")
    client =
      client.newBuilder()
        .authenticator(RecordingOkAuthenticator(credential, "Basic"))
        .build()
    val call = client.newCall(Request(server.url("/")))
    val response = call.execute()
    assertThat(response.body.string()).isEqualTo("Successful auth!")
    val denied = server.takeRequest()

    server.useHttps(handshakeCertificates.sslSocketFactory())
    server.enqueue(
      MockResponse(
        code = HttpURLConnection.HTTP_PROXY_AUTH,
        headers = headersOf("Proxy-Authenticate", "Basic realm=\"localhost\""),
        body = "proxy auth required",
        inTunnel = true,
      ),
    )
    server.enqueue(MockResponse(inTunnel = true))
    server.enqueue(MockResponse())

import assertk.assertions.isTrue
import java.io.ByteArrayInputStream
import java.security.cert.CertificateFactory
import java.security.cert.X509Certificate
import javax.net.ssl.SSLSession
import javax.security.auth.x500.X500Principal
import okhttp3.FakeSSLSession
import okhttp3.OkHttpClient
import okhttp3.internal.canParseAsIpAddress
import okhttp3.internal.platform.Platform.Companion.isAndroid
import okhttp3.testing.PlatformRule

    created before HTTP/2 settings have been acknowledged.
 *  Fix: Improve recovery from failed routes.
 *  Fix: Accommodate tunneling proxies that close the connection after an auth
    challenge.
 *  Fix: Use the proxy authenticator when authenticating HTTP proxies. This
    regression was introduced in OkHttp 3.0.
 *  Fix: Fail fast if network interceptors transform the response body such that