More work on auth module

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/gclient/IUpdateTyped.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.gclient;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 import org.hl7.fhir.instance.model.api.IIdType;
 
 public interface IUpdateTyped extends IUpdateExecutable {

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/method/IRequestOperationCallback.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.method;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 import java.util.Collection;
 
 import org.hl7.fhir.instance.model.api.IBaseResource;

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/IServerOperationInterceptor.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 import org.hl7.fhir.instance.model.api.IBaseResource;
 
 import ca.uhn.fhir.rest.method.RequestDetails;

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AppliesTypeEnum.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 enum AppliesTypeEnum {
 	ALL_RESOURCES, TYPES
 

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptor.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 import static org.apache.commons.lang3.StringUtils.defaultString;
 
 import java.util.ArrayList;
@@ -69,7 +89,7 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 		IAuthRule decidingRule = null;
 		
 		for (IAuthRule nextRule : theRules) {
-			RuleModeEnum decision = nextRule.applyRule(theOperation, theRequestDetails, theInputResource, theOutputResource);
+			RuleVerdictEnum decision = nextRule.applyRule(theOperation, theRequestDetails, theInputResource, theOutputResource);
 			
 			switch (decision) {
 			case NO_DECISION:
@@ -127,7 +147,7 @@ public class AuthorizationInterceptor extends InterceptorAdapter implements ISer
 		case EXTENDED_OPERATION_TYPE:
 		case METADATA:
 			// Security does not apply to these operations 
-			return OperationExamineDirection.NONE;
+			return OperationExamineDirection.IN;
 			
 		case DELETE:
 			// Delete is a special case

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/ClassifierTypeEnum.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 enum ClassifierTypeEnum {
 	IN_COMPARTMENT, ANY_ID
 

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRule.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 import org.hl7.fhir.instance.model.api.IBaseResource;
 
 import ca.uhn.fhir.rest.api.RestOperationTypeEnum;
@@ -18,9 +38,9 @@ public interface IAuthRule {
 	 *           The resource being input by the client, or <code>null</code>
 	 * @param theOutputResource
 	 *           The resource being returned by the server, or <code>null</code>
-	 * @return Returns a policy decision, or <code>null</code> if the rule does not apply
+	 * @return Returns a policy decision, or {@link RuleVerdictEnum#NO_DECISION} if the rule does not apply
 	 */
-	RuleModeEnum applyRule(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IBaseResource theOutputResource);
+	RuleVerdictEnum applyRule(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IBaseResource theOutputResource);
 
 	/**
 	 * Returns a name for this rule, to be used in logs and error messages

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilder.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 /**
  * Used by {@link AuthorizationInterceptor} in order to allow user code to define authorization
  * rules.

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRule.java

@@ -1,7 +1,36 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 public interface IAuthRuleBuilderRule {
 
+	/**
+	 * This rules applies to the metadata operation (retrieve the
+	 * server's conformance statement)
+	 * <p>
+	 * This call completes the rule and adds the rule to the chain.
+	 * </p>
+	 */
+	IAuthRuleBuilderRuleOpClassifierFinished metadata();
+
 	/**
 	 * This rule applies to any FHIR operation involving reading, including
 	 * <code>read</code>, <code>vread</code>, <code>search</code>, and
@@ -9,16 +38,16 @@ public interface IAuthRuleBuilderRule {
 	 */
 	IAuthRuleBuilderRuleOp read();
 
-	/**
-	 * This rule applies to any FHIR operation involving writing, including
-	 * <code>create</code>, and <code>update</code>
-	 */
-	IAuthRuleBuilderRuleOp write();
-
 	/**
 	 * This rule applies to the FHIR transaction operation. Transaction is a special
 	 * case in that it bundles other operations
 	 */
 	IAuthRuleBuilderRuleTransaction transaction();
 
+	/**
+	 * This rule applies to any FHIR operation involving writing, including
+	 * <code>create</code>, and <code>update</code>
+	 */
+	IAuthRuleBuilderRuleOp write();
+
 }

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleOp.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 import org.hl7.fhir.instance.model.api.IBaseResource;
 
 public interface IAuthRuleBuilderRuleOp {

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleOpClassifier.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 import java.util.Collection;
 
 import org.hl7.fhir.instance.model.api.IIdType;

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleOpClassifierFinished.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 public interface IAuthRuleBuilderRuleOpClassifierFinished {
 
 	/**

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleTransaction.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 public interface IAuthRuleBuilderRuleTransaction {
 
 	/**
@@ -9,5 +29,5 @@ public interface IAuthRuleBuilderRuleTransaction {
 	 * This call completes the rule and adds the rule to the chain.
 	 * </p>
 	 */
-	IAuthRuleBuilderRuleOpClassifierFinished withAnyOperation();
+	IAuthRuleBuilderRuleTransactionOp withAnyOperation();
 }

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/IAuthRuleBuilderRuleTransactionOp.java

@@ -1,5 +1,27 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 public interface IAuthRuleBuilderRuleTransactionOp {
 
+	IAuthRuleBuilderRuleOpClassifierFinished andApplyNormalRules();
+	
 }

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/PolicyEnum.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 public enum PolicyEnum {
 
 	ALLOW,

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/Rule.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 import java.util.Collection;
 import java.util.Set;
 
@@ -18,7 +38,7 @@ class Rule implements IAuthRule {
 	private String myClassifierCompartmentName;
 	private Collection<? extends IIdType> myClassifierCompartmentOwners;
 	private ClassifierTypeEnum myClassifierType;
-	private RuleModeEnum myMode;
+	private RuleVerdictEnum myMode;
 	private String myName;
 	private RuleOpEnum myOp;
 	private TransactionAppliesToEnum myTransactionAppliesToOp;
@@ -28,7 +48,7 @@ class Rule implements IAuthRule {
 	}
 
 	@Override
-	public RuleModeEnum applyRule(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IBaseResource theOutputResource) {
+	public RuleVerdictEnum applyRule(RestOperationTypeEnum theOperation, RequestDetails theRequestDetails, IBaseResource theInputResource, IBaseResource theOutputResource) {
 		FhirContext ctx = theRequestDetails.getServer().getFhirContext();
 
 		IBaseResource appliesTo;
@@ -42,9 +62,15 @@ class Rule implements IAuthRule {
 		case TRANSACTION:
 			return myMode;
 		case ALLOW_ALL:
-			return RuleModeEnum.ALLOW;
+			return RuleVerdictEnum.ALLOW;
 		case DENY_ALL:
-			return RuleModeEnum.DENY;
+			return RuleVerdictEnum.DENY;
+		case METADATA:
+			if (theOperation == RestOperationTypeEnum.METADATA) {
+				return myMode;
+			} else {
+				return RuleVerdictEnum.NO_DECISION;
+			}
 		default:
 			// Should not happen
 			throw new IllegalStateException("Unable to apply security to event of type " + theOperation);
@@ -55,7 +81,7 @@ class Rule implements IAuthRule {
 			break;
 		case TYPES:
 			if (myAppliesToTypes.contains(appliesTo.getClass()) == false) {
-				return RuleModeEnum.NO_DECISION;
+				return RuleVerdictEnum.NO_DECISION;
 			}
 			break;
 		default:
@@ -75,7 +101,7 @@ class Rule implements IAuthRule {
 				}
 			}
 			if (!foundMatch) {
-				return RuleModeEnum.NO_DECISION;
+				return RuleVerdictEnum.NO_DECISION;
 			}
 			break;
 		default:
@@ -114,7 +140,7 @@ class Rule implements IAuthRule {
 		myClassifierType = theClassifierType;
 	}
 
-	public void setMode(RuleModeEnum theRuleMode) {
+	public void setMode(RuleVerdictEnum theRuleMode) {
 		myMode = theRuleMode;
 	}
 

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleBuilder.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
@@ -11,7 +31,7 @@ import org.hl7.fhir.instance.model.api.IIdType;
 
 class RuleBuilder implements IAuthRuleBuilder {
 
-	private RuleModeEnum myRuleMode;
+	private RuleVerdictEnum myRuleMode;
 
 	private String myRuleName;
 
@@ -28,7 +48,7 @@ class RuleBuilder implements IAuthRuleBuilder {
 
 	@Override
 	public IAuthRuleBuilderRule allow(String theRuleName) {
-		myRuleMode = RuleModeEnum.ALLOW;
+		myRuleMode = RuleVerdictEnum.ALLOW;
 		myRuleName = theRuleName;
 		return new RuleBuilderRule();
 	}
@@ -51,7 +71,7 @@ class RuleBuilder implements IAuthRuleBuilder {
 
 	@Override
 	public IAuthRuleBuilderRule deny(String theRuleName) {
-		myRuleMode = RuleModeEnum.DENY;
+		myRuleMode = RuleVerdictEnum.DENY;
 		myRuleName = theRuleName;
 		return new RuleBuilderRule();
 	}
@@ -84,6 +104,15 @@ class RuleBuilder implements IAuthRuleBuilder {
 
 		private RuleOpEnum myRuleOp;
 
+		@Override
+		public RuleBuilderFinished metadata() {
+			Rule rule = new Rule(myRuleName);
+			rule.setOp(RuleOpEnum.METADATA);
+			rule.setMode(myRuleMode);
+			myRules.add(rule);
+			return new RuleBuilderFinished(myRules);
+		}
+		
 		@Override
 		public IAuthRuleBuilderRuleOp read() {
 			myRuleOp = RuleOpEnum.READ;
@@ -183,13 +212,24 @@ class RuleBuilder implements IAuthRuleBuilder {
 		public class RuleBuilderRuleTransaction implements IAuthRuleBuilderRuleTransaction {
 
 			@Override
-			public IAuthRuleBuilderRuleOpClassifierFinished withAnyOperation() {
+			public IAuthRuleBuilderRuleTransactionOp withAnyOperation() {
-				Rule rule = new Rule(myRuleName);
+				return new RuleBuilderRuleTransactionOp();
-				rule.setOp(myRuleOp);
-				rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
-				myRules.add(rule);
-				return new RuleBuilderFinished(myRules);
 			}
+			
+			
+			class RuleBuilderRuleTransactionOp implements IAuthRuleBuilderRuleTransactionOp {
+
+				@Override
+				public IAuthRuleBuilderRuleOpClassifierFinished andApplyNormalRules() {
+					Rule rule = new Rule(myRuleName);
+					rule.setOp(myRuleOp);
+					rule.setTransactionAppliesToOp(TransactionAppliesToEnum.ANY_OPERATION);
+					myRules.add(rule);
+					return new RuleBuilderFinished(myRules);
+				}
+				
+			}
+			
 		}
 
 	}

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleModeEnum.java

@@ -1,7 +0,0 @@
-package ca.uhn.fhir.rest.server.interceptor.auth;
-
-enum RuleModeEnum {
-	ALLOW,
-	DENY, 
-	NO_DECISION
-}

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleOpEnum.java

@@ -1,9 +1,30 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 enum RuleOpEnum {
 	READ,
 	WRITE, 
 	ALLOW_ALL,
 	DENY_ALL, 
-	TRANSACTION
+	TRANSACTION, 
+	METADATA
 }

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/RuleVerdictEnum.java

@@ -0,0 +1,27 @@
+package ca.uhn.fhir.rest.server.interceptor.auth;
+
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
+enum RuleVerdictEnum {
+	ALLOW,
+	DENY, 
+	NO_DECISION
+}

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/server/interceptor/auth/TransactionAppliesToEnum.java

@@ -1,5 +1,25 @@
 package ca.uhn.fhir.rest.server.interceptor.auth;
 
+/*
+ * #%L
+ * HAPI FHIR - Core Library
+ * %%
+ * Copyright (C) 2014 - 2016 University Health Network
+ * %%
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * #L%
+ */
+
 enum TransactionAppliesToEnum {
 	ANY_OPERATION
 

hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/client/GenericClientDstu2Test.java

@@ -46,12 +46,15 @@ import org.mockito.stubbing.Answer;
 
 import ca.uhn.fhir.context.FhirContext;
 import ca.uhn.fhir.model.api.Bundle;
+import ca.uhn.fhir.model.api.ExtensionDt;
 import ca.uhn.fhir.model.api.Include;
 import ca.uhn.fhir.model.api.ResourceMetadataKeyEnum;
 import ca.uhn.fhir.model.dstu2.composite.IdentifierDt;
 import ca.uhn.fhir.model.dstu2.composite.MetaDt;
 import ca.uhn.fhir.model.dstu2.resource.Bundle.Entry;
 import ca.uhn.fhir.model.dstu2.resource.Bundle.Link;
+import ca.uhn.fhir.model.dstu2.resource.Conformance.Rest;
+import ca.uhn.fhir.model.dstu2.resource.Conformance.RestSecurity;
 import ca.uhn.fhir.model.dstu2.resource.Conformance;
 import ca.uhn.fhir.model.dstu2.resource.Observation;
 import ca.uhn.fhir.model.dstu2.resource.OperationOutcome;
@@ -165,6 +168,37 @@ public class GenericClientDstu2Test {
 		idx++;
 	}
 
+	/**
+	 * See #322
+	 */
+	@Test
+	public void testFetchConformanceWithSmartExtensions() throws Exception {
+		final String respString = IOUtils.toString(GenericClientDstu2Test.class.getResourceAsStream("/conformance_322.json"));
+		ArgumentCaptor<HttpUriRequest> capt = ArgumentCaptor.forClass(HttpUriRequest.class);
+		when(myHttpClient.execute(capt.capture())).thenReturn(myHttpResponse);
+		when(myHttpResponse.getStatusLine()).thenReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 200, "OK"));
+		when(myHttpResponse.getEntity().getContentType()).thenReturn(new BasicHeader("content-type", Constants.CT_FHIR_JSON + "; charset=UTF-8"));
+		when(myHttpResponse.getEntity().getContent()).thenAnswer(new Answer<ReaderInputStream>() {
+			@Override
+			public ReaderInputStream answer(InvocationOnMock theInvocation) throws Throwable {
+				return new ReaderInputStream(new StringReader(respString), Charset.forName("UTF-8"));
+			}
+		});
+
+		IGenericClient client = ourCtx.newRestfulGenericClient("http://localhost:8080/fhir");
+		Conformance conf = client.fetchConformance().ofType(Conformance.class).execute();
+		
+		Rest rest = conf.getRest().get(0);
+		RestSecurity security = rest.getSecurity();
+		
+		List<ExtensionDt> ext = security.getUndeclaredExtensionsByUrl("http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris");
+		List<ExtensionDt> tokenExts = ext.get(0).getUndeclaredExtensionsByUrl("token");
+		ExtensionDt tokenExt = tokenExts.get(0);
+		UriDt value = (UriDt) tokenExt.getValue();
+		assertEquals("https://my-server.org/token", value.getValueAsString());
+
+	}
+
 	@Test
 	public void testAcceptHeaderPreflightConformance() throws Exception {
 		String methodName = "testAcceptHeaderPreflightConformance";

hapi-fhir-structures-dstu2/src/test/java/ca/uhn/fhir/rest/server/interceptor/auth/AuthorizationInterceptorDstu2Test.java

@@ -109,6 +109,74 @@ public class AuthorizationInterceptorDstu2Test {
 		return responseContent;
 	}
 
+	@Test
+	public void testMetadataAllow() throws Exception {
+		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			protected void buildRuleList(RequestDetails theRequestDetails, IAuthRuleBuilder theRuleBuilder) {
+				theRuleBuilder.allow("Rule 1").metadata();
+			}
+		});
+
+		HttpGet httpGet;
+		HttpResponse status;
+		String response;
+
+		ourReturn = Arrays.asList(createPatient(2));
+		ourHitMethod = false;
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/metadata");
+		status = ourClient.execute(httpGet);
+		extractResponseAndClose(status);
+		assertEquals(200, status.getStatusLine().getStatusCode());
+	}
+	
+	@Test
+	public void testTransactionWriteGood() throws Exception {
+		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {
+			@Override
+			protected void buildRuleList(RequestDetails theRequestDetails, IAuthRuleBuilder theRuleBuilder) {
+				theRuleBuilder
+					.allow("Rule 1").transaction().withAnyOperation().andApplyNormalRules().andThen()
+					.allow("Rule 2").write().allResources().inCompartment("Patient", new IdDt("Patient/1")).andThen()
+					.allow("Rule 2").read().allResources().inCompartment("Patient", new IdDt("Patient/1")).andThen();
+			}
+		});
+
+		
+		
+//		HttpGet httpGet;
+//		HttpResponse status;
+//		String response;
+//
+//		ourReturn = Arrays.asList(createPatient(2));
+//		ourHitMethod = false;
+//		httpGet = new HttpGet("http://localhost:" + ourPort + "/metadata");
+//		status = ourClient.execute(httpGet);
+//		extractResponseAndClose(status);
+//		assertEquals(200, status.getStatusLine().getStatusCode());
+	}
+
+	@Test
+	public void testMetadataDeny() throws Exception {
+		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.ALLOW) {
+			@Override
+			protected void buildRuleList(RequestDetails theRequestDetails, IAuthRuleBuilder theRuleBuilder) {
+				theRuleBuilder.deny("Rule 1").metadata();
+			}
+		});
+
+		HttpGet httpGet;
+		HttpResponse status;
+		String response;
+
+		ourReturn = Arrays.asList(createPatient(2));
+		ourHitMethod = false;
+		httpGet = new HttpGet("http://localhost:" + ourPort + "/metadata");
+		status = ourClient.execute(httpGet);
+		extractResponseAndClose(status);
+		assertEquals(401, status.getStatusLine().getStatusCode());
+	}
+	
 	@Test
 	public void testReadByAnyId() throws Exception {
 		ourServlet.registerInterceptor(new AuthorizationInterceptor(PolicyEnum.DENY) {

hapi-fhir-structures-dstu2/src/test/resources/conformance_322.json

@@ -0,0 +1,110 @@
+{
+    "resourceType":"Conformance",
+    "publisher":"Cloudyle",
+    "date":"2016-03-30T14:53:23+02:00",
+    "kind":"instance",
+    "software":{
+        "name":"HAPI FHIR Server",
+        "version":"1.4"
+    },
+    "fhirVersion":"1.0.2",
+    "acceptUnknown":"both",
+    "format":[
+        "application/xml+fhir",
+        "application/json+fhir"
+    ],
+    "rest":[
+        {
+            "mode":"server",
+            "security":{
+                "extension":[
+                    {
+                        "url":"http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris",
+                        "extension":[
+                            {
+                                "url":"token",
+                                "valueuri":"https://my-server.org/token"
+                            },
+                            {
+                                "url":"authorize",
+                                "valueuri":"https://my-server.org/authorize"
+                            }
+                        ]
+                    }
+                ],
+                "service":[
+                    {
+                        "coding":[
+                            {
+                                "system":"http://hl7.org/fhir/restful-security-service",
+                                "code":"SMART-on-FHIR"
+                            }
+                        ],
+                        "text":"OAuth2 using SMART-on-FHIR profile (see http://docs.smarthealthit.org)"
+                    }
+                ]
+            },
+            "resource":[
+                {
+                    "type":"Observation",
+                    "profile":{
+                        "reference":"http://hl7.org/fhir/profiles/Observation"
+                    },
+                    "interaction":[
+                        {
+                            "code":"search-type"
+                        }
+                    ],
+                    "searchParam":[
+                        {
+                            "name":"code",
+                            "type":"token",
+                            "documentation":"The code of the observation type"
+                        },
+                        {
+                            "name":"subject",
+                            "type":"string",
+                            "documentation":"The subject that the observation is about"
+                        }
+                    ]
+                },
+                {
+                    "type":"OperationDefinition",
+                    "profile":{
+                        "reference":"http://hl7.org/fhir/profiles/OperationDefinition"
+                    },
+                    "interaction":[
+                        {
+                            "code":"read"
+                        }
+                    ]
+                },
+                {
+                    "type":"Patient",
+                    "profile":{
+                        "reference":"http://hl7.org/fhir/profiles/Patient"
+                    },
+                    "interaction":[
+                        {
+                            "code":"read"
+                        }
+                    ]
+                },
+                {
+                    "type":"StructureDefinition",
+                    "profile":{
+                        "reference":"http://hl7.org/fhir/profiles/StructureDefinition"
+                    },
+                    "interaction":[
+                        {
+                            "code":"read"
+                        },
+                        {
+                            "code":"search-type"
+                        }
+                    ]
+                }
+            ]
+        }
+    ]
+}

hapi-fhir-structures-dstu3/src/test/java/ca/uhn/fhir/validation/FhirInstanceValidatorDstu3Test.java

@@ -23,19 +23,18 @@ import org.apache.commons.io.IOUtils;
 import org.hl7.fhir.dstu3.hapi.validation.DefaultProfileValidationSupport;
 import org.hl7.fhir.dstu3.hapi.validation.FhirInstanceValidator;
 import org.hl7.fhir.dstu3.hapi.validation.IValidationSupport;
-import org.hl7.fhir.dstu3.hapi.validation.ValidationSupportChain;
 import org.hl7.fhir.dstu3.hapi.validation.IValidationSupport.CodeValidationResult;
+import org.hl7.fhir.dstu3.hapi.validation.ValidationSupportChain;
 import org.hl7.fhir.dstu3.model.CodeType;
 import org.hl7.fhir.dstu3.model.Observation;
+import org.hl7.fhir.dstu3.model.Observation.ObservationStatus;
 import org.hl7.fhir.dstu3.model.Patient;
 import org.hl7.fhir.dstu3.model.StringType;
 import org.hl7.fhir.dstu3.model.ValueSet;
-import org.hl7.fhir.dstu3.model.Observation.ObservationStatus;
 import org.hl7.fhir.dstu3.model.ValueSet.ConceptDefinitionComponent;
 import org.hl7.fhir.dstu3.model.ValueSet.ConceptSetComponent;
 import org.hl7.fhir.dstu3.model.ValueSet.ValueSetExpansionComponent;
 import org.hl7.fhir.instance.model.api.IBaseResource;
-import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.Ignore;