}

    public User load(final User user) {
        User u = user;
        for (final AuthenticationChain chain : chains) {
            u = chain.load(u);
        }
        return u;
    }

    public void addChain(final AuthenticationChain chain) {
        chains = ArrayUtils.addAll(chains, chain);
    }

    protected StreamOf<AuthenticationChain> chains() {
        return stream(chains);
    }

        FilterChain chain = createDefaultFilterChain();
        for (final Filter element : filterList) {
            chain = appendFilterChain(element, chain);
        }
        filterChain = chain;
    }

    protected FilterChain appendFilterChain(final Filter filter, final FilterChain chain) {
        return (context, query, boost) -> filter.execute(context, query, boost, chain);
    }

    protected void createFilterChain() {
        FilterChain chain = createDefaultFilterChain();
        for (final Filter element : filterList) {
            chain = appendFilterChain(element, chain);
        }
        filterChain = chain;
    }

    protected FilterChain appendFilterChain(final Filter filter, final FilterChain chain) {
        return query -> filter.parse(query, chain);
    }

   *                     -> phonyVictim
   * ```
   *
   * But this chain is wrong because the attackerSwitch certificate is being used in a CA role even
   * though it is not a CA certificate. There are pinned certificates in the chain! The correct
   * chain is much shorter because it skips the non-CA certificate.
   *
   * ```
   *   attackerCa
   *     -> attackerIntermediate

    @Override public Response intercept(Chain chain) throws IOException {
      long t1 = System.nanoTime();
      Request request = chain.request();
      logger.info(String.format("Sending request %s on %s%n%s",
          request.url(), chain.connection(), request.headers()));
      Response response = chain.proceed(request);

      long t2 = System.nanoTime();

     *     chain.proceed(chain.request())
     * }
     * ```
     */
    inline operator fun invoke(crossinline block: (chain: Chain) -> Response): Interceptor = Interceptor { block(it) }
  }

  interface Chain {
    fun request(): Request

    @Throws(IOException::class)
    fun proceed(request: Request): Response

    /**

    @Override public Response intercept(Chain chain) throws IOException {
      Request request = chain.request();
      Headers newHeaders = request.headers()
          .newBuilder()
          .add("Date", new Date())
          .build();
      Request newRequest = request.newBuilder()
          .headers(newHeaders)
          .build();
      return chain.proceed(newRequest);
    }
  }

import okhttp3.internal.platform.Platform

/**
 * Computes the effective certificate chain from the raw array returned by Java's built in TLS APIs.
 * Cleaning a chain returns a list of certificates where the first element is `chain[0]`, each
 * certificate is signed by the certificate that follows, and the last certificate is a trusted CA
 * certificate.
 *
 * Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to

      this.host = host;
    }

    @Override public Response intercept(Chain chain) throws IOException {
      Request request = chain.request();
      if (request.url().host().equals(host)) {
        request = request.newBuilder()
            .header("Authorization", credentials)
            .build();
      }
      return chain.proceed(request);
    }
  }

      chain[0] = heldCertificate.certificate
      intermediates.copyInto(chain, 1)
      keyStore.setKeyEntry("private", heldCertificate.keyPair.private, password, chain)
    }

    val factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
    factory.init(keyStore, password)
    val result = factory.keyManagers!!
    check(result.size == 1 && result[0] is X509KeyManager) {