kuzzle 2.16.10 → 2.17.1

package/lib/core/security/profileRepository.js

@@ -1,3 +1,4 @@
+"use strict";
 /*
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
@@ -18,487 +19,488 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-'use strict';
-
-const { omit } = require('lodash');
-const Bluebird = require('bluebird');
-
-const Profile = require('../../model/security/profile');
-const Repository = require('../shared/repository');
-const kerror = require('../../kerror');
-const cacheDbEnum = require('../cache/cacheDbEnum');
-
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProfileRepository = void 0;
+const lodash_1 = require("lodash");
+const bluebird_1 = __importDefault(require("bluebird"));
+const profile_1 = require("../../model/security/profile");
+const repository_1 = __importDefault(require("../shared/repository"));
+const kerror = __importStar(require("../../kerror"));
+const cacheDbEnum_1 = __importDefault(require("../cache/cacheDbEnum"));
 /**
  * @class ProfileRepository
  * @extends Repository
  */
-class ProfileRepository extends Repository {
-  /**
-   * @constructor
-   */
-  constructor (securityModule) {
-    super({
-      cache: cacheDbEnum.NONE,
-      store: global.kuzzle.internalIndex,
-    });
-
-    this.module = securityModule;
-    this.collection = 'profiles';
-    this.ObjectConstructor = Profile;
-    this.profiles = new Map();
-  }
-
-  init () {
+class ProfileRepository extends repository_1.default {
     /**
-     * Creates a new profile
-     * @param  {String} id - profile identifier / name
-     * @param  {Object} policies
-     * @param  {Object} opts - refresh, userId (used for metadata)
-     * @returns {Profile}
-     * @throws If already exists or if the policies are invalid
+     * @constructor
      */
-    global.kuzzle.onAsk(
-      'core:security:profile:create',
-      (id, policies, opts) => this.create(id, policies, opts));
-
+    constructor(securityModule) {
+        super({
+            cache: cacheDbEnum_1.default.NONE,
+            store: global.kuzzle.internalIndex,
+        });
+        this.module = securityModule;
+        this.profiles = new Map();
+        super.collection = 'profiles';
+        super.ObjectConstructor = profile_1.Profile;
+    }
+    init() {
+        /**
+         * Creates a new profile
+         * @param  {String} id - profile identifier / name
+         * @param  {Object} policies
+         * @param  {Object} opts - refresh, userId (used for metadata)
+         * @returns {Profile}
+         * @throws If already exists or if the policies are invalid
+         */
+        global.kuzzle.onAsk('core:security:profile:create', (id, policies, opts) => this.create(id, policies, opts));
+        /**
+         * Creates a new profile, or replaces it if it already exists
+         * @param  {String} id
+         * @param  {Object} policies
+         * @param  {Object} opts - refresh, userId (used for metadata)
+         * @returns {Profile}
+         * @throws If the profile policies are invalid
+         */
+        global.kuzzle.onAsk('core:security:profile:createOrReplace', (id, policies, opts) => this.createOrReplace(id, policies, opts));
+        /**
+         * Deletes an existing profile
+         * @param  {String} id
+         * @param  {Object} opts - refresh
+         * @throws If the profile doesn't exist, if it is protected, or if it's
+         *         still in use
+         */
+        global.kuzzle.onAsk('core:security:profile:delete', (id, opts) => this.deleteById(id, opts));
+        /**
+         * Loads and returns an existing profile
+         * @param  {String} id - profile identifier
+         * @returns {Profile}
+         * @throws {NotFoundError} If the profile doesn't exist
+         */
+        global.kuzzle.onAsk('core:security:profile:get', id => this.load(id));
+        /**
+         * Invalidates the RAM cache from the given profile ID. If none is provided,
+         * the entire cache is emptied.
+         *
+         * @param  {String} [id] - profile identifier
+         */
+        global.kuzzle.onAsk('core:security:profile:invalidate', id => this.invalidate(id));
+        /**
+         * Gets multiple profiles
+         * @param  {Array} ids
+         * @returns {Array.<Profile>}
+         * @throws If one or more profiles don't exist
+         */
+        global.kuzzle.onAsk('core:security:profile:mGet', ids => this.loadProfiles(ids));
+        /**
+         * Fetches the next page of search results
+         * @param  {String} id - scroll identifier
+         * @param  {String} [ttl] - refresh the scroll results TTL
+         * @returns {Object} Search results
+         */
+        global.kuzzle.onAsk('core:security:profile:scroll', (id, ttl) => this.scroll(id, ttl));
+        /**
+         * Searches profiles
+         *
+         * @param  {Object} searchBody - Search query (ES format)
+         * @param  {Object} opts (from, size, scroll)
+         *
+         * @returns {Object} Search results
+         */
+        global.kuzzle.onAsk('core:security:profile:search', (searchBody, opts) => this.search(searchBody, opts));
+        /**
+         * Removes all existing profiles and invalidates the RAM cache
+         * @param  {Object} opts (refresh)
+         */
+        global.kuzzle.onAsk('core:security:profile:truncate', opts => this.truncate(opts));
+        /**
+         * Updates an existing profile using a partial content
+         * @param  {String} id - profile identifier to update
+         * @param  {Object} policies - partial policies to apply
+         * @param  {Object} opts - refresh, retryOnConflict, userId (used for metadata)
+         * @returns {Profile} Updated profile
+         */
+        global.kuzzle.onAsk('core:security:profile:update', (id, content, opts) => this.update(id, content, opts));
+    }
     /**
-     * Creates a new profile, or replaces it if it already exists
-     * @param  {String} id
-     * @param  {Object} policies
-     * @param  {Object} opts - refresh, userId (used for metadata)
-     * @returns {Profile}
-     * @throws If the profile policies are invalid
+     * Loads a Profile
+     *
+     * @param {string} id
+     * @returns {Promise.<Promise>}
+     * @throws {NotFoundError} If the corresponding profile doesn't exist
      */
-    global.kuzzle.onAsk(
-      'core:security:profile:createOrReplace',
-      (id, policies, opts) => this.createOrReplace(id, policies, opts));
-
+    async load(id) {
+        if (this.profiles.has(id)) {
+            return this.profiles.get(id);
+        }
+        const profile = await super.load(id);
+        profile.optimizedPolicies = this.optimizePolicies(profile.policies);
+        this.profiles.set(id, profile);
+        return profile;
+    }
     /**
-     * Deletes an existing profile
-     * @param  {String} id
-     * @param  {Object} opts - refresh
-     * @throws If the profile doesn't exist, if it is protected, or if it's
-     *         still in use
+     * Loads a Profile object given its id.
+     * Stores the promise of the profile being loaded in the memcache
+     * and then replaces it by the profile itself once it has been loaded
+     *
+     * This is to allow parallelisation while preventing sending requests
+     * to ES, which is slow
+     *
+     * @param {Array} profileIds - Array of profiles ids
+     * @param {Object} options - resetCache (false)
+     *
+     * @returns {Promise} Resolves to the matching Profile object if found, null
+     * if not.
+     */
+    async loadProfiles(profileIds = []) {
+        const profiles = [];
+        if (profileIds.some(p => typeof p !== 'string')) {
+            throw kerror.get('api', 'assert', 'invalid_type', 'profileIds', 'string[]');
+        }
+        for (const id of profileIds) {
+            let profile = this.profiles.get(id);
+            if (!profile) {
+                profile = this.loadOneFromDatabase(id)
+                    .then(p => {
+                    p.optimizedPolicies = this.optimizePolicies(p.policies);
+                    this.profiles.set(id, p);
+                    return p;
+                });
+            }
+            profiles.push(profile);
+        }
+        return bluebird_1.default.all(profiles);
+    }
+    /**
+     * @override
      */
-    global.kuzzle.onAsk(
-      'core:security:profile:delete',
-      (id, opts) => this.deleteById(id, opts));
-
+    async loadOneFromDatabase(id) {
+        try {
+            return await super.loadOneFromDatabase(id);
+        }
+        catch (err) {
+            if (err.status === 404) {
+                throw kerror.get('security', 'profile', 'not_found', id);
+            }
+            throw err;
+        }
+    }
     /**
-     * Loads and returns an existing profile
-     * @param  {String} id - profile identifier
+     * Creates a new profile, or create/replace a profile
+     *
+     * @param {String} id
+     * @param {Object} policies
+     * @param {Object} [opts]
      * @returns {Profile}
-     * @throws {NotFoundError} If the profile doesn't exist
      */
-    global.kuzzle.onAsk('core:security:profile:get', id => this.load(id));
-
+    async _createOrReplace(id, content, { method, refresh = 'false', strict, userId = null } = {}) {
+        const profile = await this.fromDTO({
+            // content should be first: ignores _id and _kuzzle_info in it
+            ...content,
+            _id: id,
+            _kuzzle_info: {
+                author: userId,
+                createdAt: Date.now(),
+                updatedAt: null,
+                updater: null,
+            },
+        });
+        return this.validateAndSaveProfile(profile, { method, refresh, strict });
+    }
     /**
-     * Invalidates the RAM cache from the given profile ID. If none is provided,
-     * the entire cache is emptied.
+     * Creates a new profile
      *
-     * @param  {String} [id] - profile identifier
+     * @param {String} id
+     * @param {Object} content
+     * @param {Object} [opts]
+     * @returns {Profile}
      */
-    global.kuzzle.onAsk(
-      'core:security:profile:invalidate',
-      id => this.invalidate(id));
-
+    async create(id, content, opts = {}) {
+        return this._createOrReplace(id, content, {
+            method: 'create',
+            ...opts,
+        });
+    }
     /**
-     * Gets multiple profiles
-     * @param  {Array} ids
-     * @returns {Array.<Profile>}
-     * @throws If one or more profiles don't exist
+     * Creates or replaces a profile
+     *
+     * @param {String} id
+     * @param {Object} content
+     * @param {Object} [opts]
+     * @returns {Profile}
      */
-    global.kuzzle.onAsk(
-      'core:security:profile:mGet',
-      ids => this.loadProfiles(ids));
-
+    async createOrReplace(id, content, opts = {}) {
+        return this._createOrReplace(id, content, {
+            method: 'createOrReplace',
+            ...opts,
+        });
+    }
     /**
-     * Fetches the next page of search results
-     * @param  {String} id - scroll identifier
-     * @param  {String} [ttl] - refresh the scroll results TTL
-     * @returns {Object} Search results
+     * Updates a profile
+     * @param  {String} id
+     * @param  {Object} content
+     * @param  {Object} [opts]
+     * @returns {Promise}
      */
-    global.kuzzle.onAsk(
-      'core:security:profile:scroll',
-      (id, ttl) => this.scroll(id, ttl));
-
+    async update(id, content, { refresh, retryOnConflict, strict, userId } = {}) {
+        const profile = await this.load(id);
+        const pojo = super.toDTO(profile);
+        const updated = await this.fromDTO({
+            // /!\ order is important
+            ...pojo,
+            ...content,
+            // Always last, in case content contains these keys
+            _id: id,
+            _kuzzle_info: {
+                updatedAt: Date.now(),
+                updater: userId,
+            },
+        });
+        return this.validateAndSaveProfile(updated, {
+            method: 'update',
+            refresh,
+            retryOnConflict,
+            strict,
+        });
+    }
     /**
-     * Searches profiles
-     *
-     * @param  {Object} searchBody - Search query (ES format)
-     * @param  {Object} opts (from, size, scroll)
+     * Deletes a profile
      *
-     * @returns {Object} Search results
+     * @param {String} id
+     * @param {object} [options]
+     * @returns {Promise}
      */
-    global.kuzzle.onAsk(
-      'core:security:profile:search',
-      (searchBody, opts) => this.search(searchBody, opts));
-
+    async deleteById(id, options = {}) {
+        const profile = await this.load(id);
+        return this.delete(profile, options);
+    }
     /**
-     * Removes all existing profiles and invalidates the RAM cache
-     * @param  {Object} opts (refresh)
+     * @override
      */
-    global.kuzzle.onAsk(
-      'core:security:profile:truncate',
-      opts => this.truncate(opts));
-
+    async delete(profile, { refresh = 'false', onAssignedUsers = 'fail', userId = '-1', } = {}) {
+        if (['admin', 'default', 'anonymous'].includes(profile._id)) {
+            throw kerror.get('security', 'profile', 'cannot_delete');
+        }
+        const query = {
+            terms: {
+                'profileIds': [profile._id]
+            }
+        };
+        if (onAssignedUsers === 'remove') {
+            const batch = [];
+            let treated = 0;
+            let userPage = await this.module.user.search({ query }, { scroll: '1m', size: 100 });
+            while (treated < userPage.total) {
+                batch.length = 0;
+                for (const user of userPage.hits) {
+                    user.profileIds = user.profileIds.filter(e => e !== profile._id);
+                    if (user.profileIds.length === 0) {
+                        user.profileIds.push('anonymous');
+                    }
+                    batch.push(this.module.user.update(user._id, user.profileIds, user, {
+                        refresh,
+                        userId
+                    }));
+                }
+                await bluebird_1.default.all(batch);
+                treated += userPage.hits.length;
+                if (treated < userPage.total) {
+                    userPage = await this.module.user.scroll(userPage.scrollId, '1m');
+                }
+            }
+        }
+        else {
+            const hits = await this.module.user.search({ query }, { from: 0, size: 1 });
+            if (hits.total > 0) {
+                throw kerror.get('security', 'profile', 'in_use');
+            }
+        }
+        await this.deleteFromDatabase(profile._id, { refresh });
+        this.profiles.delete(profile._id);
+    }
     /**
-     * Updates an existing profile using a partial content
-     * @param  {String} id - profile identifier to update
-     * @param  {Object} policies - partial policies to apply
-     * @param  {Object} opts - refresh, retryOnConflict, userId (used for metadata)
-     * @returns {Profile} Updated profile
+     * From a Profile object, returns a serialized object ready to be persisted
+     * to the database.
+     *
+     * @param {Profile} profile
+     * @returns {object}
      */
-    global.kuzzle.onAsk(
-      'core:security:profile:update',
-      (id, content, opts) => this.update(id, content, opts));
-  }
-
-  /**
-   * Loads a Profile
-   *
-   * @param {string} id
-   * @returns {Promise.<Promise>}
-   * @throws {NotFoundError} If the corresponding profile doesn't exist
-   */
-  async load (id) {
-    if (this.profiles.has(id)) {
-      return this.profiles.get(id);
-    }
-
-    const profile = await super.load(id);
-
-    this.profiles.set(id, profile);
-
-    return profile;
-  }
-
-  /**
-   * Loads a Profile object given its id.
-   * Stores the promise of the profile being loaded in the memcache
-   * and then replaces it by the profile itself once it has been loaded
-   *
-   * This is to allow parallelisation while preventing sending requests
-   * to ES, which is slow
-   *
-   * @param {Array} profileIds - Array of profiles ids
-   * @param {Object} options - resetCache (false)
-   *
-   * @returns {Promise} Resolves to the matching Profile object if found, null
-   * if not.
-   */
-  async loadProfiles (profileIds = []) {
-    const profiles = [];
-
-    if (profileIds.some(p => typeof p !== 'string')) {
-      throw kerror.get('api', 'assert', 'invalid_type', 'profileIds', 'string[]');
-    }
-
-    for (let i = 0; i < profileIds.length; i++) {
-      const id = profileIds[i];
-      let profile = this.profiles.get(id);
-
-      if (!profile) {
-        profile = this.loadOneFromDatabase(id)
-          .then(p => {
-            this.profiles.set(id, p);
-            return p;
-          });
-
-        this.profiles.set(id, profile);
-      }
-
-      profiles.push(profile);
-    }
-
-    return Bluebird.all(profiles);
-  }
-
-  /**
-   * @override
-   */
-  async loadOneFromDatabase (id) {
-    try {
-      return await super.loadOneFromDatabase(id);
-    }
-    catch(err) {
-      if (err.status === 404) {
-        throw kerror.get('security', 'profile', 'not_found', id);
-      }
-      throw err;
+    serializeToDatabase(profile) {
+        // avoid the profile var mutation
+        return (0, lodash_1.omit)(profile, ['_id']);
     }
-  }
-
-  /**
-   * Creates a new profile, or create/replace a profile
-   *
-   * @param {String} id
-   * @param {Object} policies
-   * @param {Object} [opts]
-   * @returns {Profile}
-   */
-  async _createOrReplace (
-    id,
-    content,
-    { method, refresh = 'false', strict, userId = null } = {}
-  ) {
-    const profile = await this.fromDTO({
-      // content should be first: ignores _id and _kuzzle_info in it
-      ...content,
-      _id: id,
-      _kuzzle_info: {
-        author: userId,
-        createdAt: Date.now(),
-        updatedAt: null,
-        updater: null,
-      },
-    });
-
-    return this.validateAndSaveProfile(profile, { method, refresh, strict });
-  }
-
-  /**
-   * Creates a new profile
-   *
-   * @param {String} id
-   * @param {Object} content
-   * @param {Object} [opts]
-   * @returns {Profile}
-   */
-  async create (id, content, opts) {
-    return this._createOrReplace(id, content, {
-      method: 'create',
-      ...opts,
-    });
-  }
-
-  /**
-   * Creates or replaces a profile
-   *
-   * @param {String} id
-   * @param {Object} content
-   * @param {Object} [opts]
-   * @returns {Profile}
-   */
-  async createOrReplace (id, content, opts) {
-    return this._createOrReplace(id, content, {
-      method: 'createOrReplace',
-      ...opts,
-    });
-  }
-
-  /**
-   * Updates a profile
-   * @param  {String} id
-   * @param  {Object} content
-   * @param  {Object} [opts]
-   * @returns {Promise}
-   */
-  async update (id, content, {refresh, retryOnConflict, strict, userId} = {}) {
-    const profile = await this.load(id);
-    const pojo = this.toDTO(profile);
-    const updated = await this.fromDTO({
-      // /!\ order is important
-      ...pojo,
-      ...content,
-      // Always last, in case content contains these keys
-      _id: id,
-      _kuzzle_info: {
-        updatedAt: Date.now(),
-        updater: userId,
-      },
-    });
-
-    return this.validateAndSaveProfile(updated, {
-      method: 'update',
-      refresh,
-      retryOnConflict,
-      strict,
-    });
-  }
-
-  /**
-   * Deletes a profile
-   *
-   * @param {String} id
-   * @param {object} [options]
-   * @returns {Promise}
-   */
-  async deleteById (id, options) {
-    const profile = await this.load(id);
-    return this.delete(profile, options);
-  }
-
-  /**
-   * @override
-   */
-  async delete (profile, {
-    refresh = 'false',
-    onAssignedUsers = 'fail',
-    userId = '-1',
-  } = {}) {
-    if (['admin', 'default', 'anonymous'].includes(profile._id)) {
-      throw kerror.get('security', 'profile', 'cannot_delete');
+    /**
+     * Given a Profile object, validates its definition and if OK, persist it to the database.
+     *
+     * @param {Profile} profile
+     * @param {Object} [options]
+     * @param {string} [options.method] - Document persistence method
+     * @param {string} [options.refresh] - (Don't) wait for index refresh
+     * @param {number} [options.retryOnConflict] - Number of retries when an
+     *                                             update fails due to a conflict
+     * @param {boolean} [options.strict] - if true, restrictions can only be
+     *                                     applied on existing indexes/collections
+     * @returns {Promise<Profile>}
+     **/
+    async validateAndSaveProfile(profile, { method, refresh, retryOnConflict, strict } = {}) {
+        const policiesRoles = profile.policies.map(p => p.roleId);
+        // Assert: all roles must exist
+        await this.module.role.loadRoles(policiesRoles);
+        await profile.validateDefinition({ strict });
+        if (profile._id === 'anonymous'
+            && policiesRoles.indexOf('anonymous') === -1) {
+            throw kerror.get('security', 'profile', 'missing_anonymous_role');
+        }
+        profile.optimizedPolicies = undefined; // Remove optimized policies
+        await super.persistToDatabase(profile, { method, refresh, retryOnConflict });
+        const updatedProfile = await this.loadOneFromDatabase(profile._id);
+        // Recompute optimized policies based on new policies
+        updatedProfile.optimizedPolicies = this.optimizePolicies(updatedProfile.policies);
+        this.profiles.set(profile._id, updatedProfile);
+        return updatedProfile;
     }
-
-    const query = {
-      terms: {
-        'profileIds': [ profile._id ]
-      }
-    };
-
-    if (onAssignedUsers === 'remove') {
-      const batch = [];
-      let treated = 0;
-      let userPage = await this.module.user.search(
-        { query },
-        { scroll: '1m', size: 100 });
-
-      while (treated < userPage.total) {
-        batch.length = 0;
-
-        for (const user of userPage.hits) {
-          user.profileIds = user.profileIds.filter(e => e !== profile._id);
-
-          if (user.profileIds.length === 0) {
-            user.profileIds.push('anonymous');
-          }
-
-          batch.push(this.module.user.update(
-            user._id,
-            user.profileIds,
-            user,
-            {
-              refresh,
-              userId
-            }));
+    /**
+     * @param {object} dto
+     * @returns {Promise<Profile>}
+     */
+    async fromDTO(dto) {
+        const profile = await super.fromDTO(dto);
+        // force "default" role/policy if the profile does not have any role in it
+        if (!profile.policies || profile.policies.length === 0) {
+            profile.policies = [{ roleId: 'default' }];
         }
-
-        await Bluebird.all(batch);
-
-        treated += userPage.hits.length;
-
-        if (treated < userPage.total) {
-          userPage = await this.module.user.scroll(userPage.scrollId, '1m');
+        if (profile.constructor._hash('') === false) {
+            profile.constructor._hash = obj => global.kuzzle.hash(obj);
         }
-      }
-    }
-    else {
-      const hits = await this.module.user.search({ query }, {from: 0, size: 1});
-
-      if (hits.total > 0) {
-        throw kerror.get('security', 'profile', 'in_use');
-      }
+        const policiesRoles = profile.policies.map(p => p.roleId);
+        const roles = await this.module.role.loadRoles(policiesRoles);
+        // Fail if not all roles are found
+        if (roles.some(r => r === null)) {
+            throw kerror.get('security', 'profile', 'cannot_hydrate');
+        }
+        return profile;
     }
-
-    await this.deleteFromDatabase(profile._id, {refresh});
-
-    this.profiles.delete(profile._id);
-  }
-
-  /**
-   * From a Profile object, returns a serialized object ready to be persisted
-   * to the database.
-   *
-   * @param {Profile} profile
-   * @returns {object}
-   */
-  serializeToDatabase (profile) {
-    // avoid the profile var mutation
-    return omit(profile, ['_id']);
-  }
-
-  /**
-   * Given a Profile object, validates its definition and if OK, persist it to the database.
-   *
-   * @param {Profile} profile
-   * @param {Object} [options]
-   * @param {string} [options.method] - Document persistence method
-   * @param {string} [options.refresh] - (Don't) wait for index refresh
-   * @param {number} [options.retryOnConflict] - Number of retries when an
-   *                                             update fails due to a conflict
-   * @param {boolean} [options.strict] - if true, restrictions can only be
-   *                                     applied on existing indexes/collections
-   * @returns {Promise<Profile>}
-   **/
-  async validateAndSaveProfile (profile, { method, refresh, retryOnConflict, strict } = {}) {
-    const policiesRoles = profile.policies.map(p => p.roleId);
-
-    // Assert: all roles must exist
-    await this.module.role.loadRoles(policiesRoles);
-
-    await profile.validateDefinition({ strict });
-
-    if ( profile._id === 'anonymous'
-      && policiesRoles.indexOf('anonymous') === -1
-    ) {
-      throw kerror.get('security', 'profile', 'missing_anonymous_role');
+    /**
+     * @override
+     */
+    async truncate(opts) {
+        try {
+            await super.truncate(opts);
+        }
+        finally {
+            // always clear the RAM cache: even if truncate fails in the middle of it,
+            // some of the cached profiles might not be valid anymore
+            this.invalidate();
+        }
     }
-
-    await this.persistToDatabase(profile, { method, refresh, retryOnConflict });
-
-    const updatedProfile = await this.loadOneFromDatabase(profile._id);
-
-    this.profiles.set(profile._id, updatedProfile);
-    return updatedProfile;
-  }
-
-  /**
-   * @param {object} dto
-   * @returns {Promise<Profile>}
-   */
-  async fromDTO (dto) {
-    const profile = await super.fromDTO(dto);
-
-    // force "default" role/policy if the profile does not have any role in it
-    if (!profile.policies || profile.policies.length === 0) {
-      profile.policies = [ {roleId: 'default'} ];
+    /**
+     * Invalidate the cache entries for the given profile. If none is provided,
+     * the entire cache is emptied.
+     * @param {string} [profileId]
+     */
+    invalidate(profileId) {
+        if (!profileId) {
+            this.profiles.clear();
+        }
+        else {
+            this.profiles.delete(profileId);
+        }
     }
-
-    if (profile.constructor._hash('') === false) {
-      profile.constructor._hash = obj => global.kuzzle.hash(obj);
+    /**
+     * Optimize each policy to get a O(1) index access time
+     * and a O(log(n)) collection search time.
+     *
+     * - Deduplicate indexes using a map
+     * - Sort collections per index
+     * @param {Object[]} policies
+     */
+    optimizePolicies(policies) {
+        if (!policies) {
+            return [];
+        }
+        return policies.map(this.optimizePolicy);
     }
-
-    const policiesRoles = profile.policies.map(p => p.roleId);
-    const roles = await this.module.role.loadRoles(policiesRoles);
-
-    // Fail if not all roles are found
-    if (roles.some(r => r === null)) {
-      throw kerror.get('security', 'profile', 'cannot_hydrate');
+    /**
+     * Optimize a policy to get a O(1) index access time
+     * and a O(log(n)) collection search time.
+     *
+     * - Deduplicate indexes using a map
+     * - Sort collections per index
+     * @param policy
+     */
+    optimizePolicy(policy) {
+        const indexes = new Map();
+        if (!policy.restrictedTo) {
+            return {
+                roleId: policy.roleId,
+            };
+        }
+        for (const restriction of policy.restrictedTo) {
+            const index = restriction.index;
+            const collections = restriction.collections;
+            if (!index) {
+                continue;
+            }
+            if (!indexes.has(index)) {
+                indexes.set(index, new Set());
+            }
+            if (!collections) {
+                continue;
+            }
+            const collectionSet = indexes.get(index);
+            for (const collection of collections) {
+                collectionSet.add(collection); // Push unique values
+            }
+        }
+        // Convert collections Set to arrays and sort them
+        for (const index of indexes.keys()) {
+            const collectionSet = indexes.get(index);
+            indexes.set(index, Array.from(collectionSet).sort());
+        }
+        return {
+            restrictedTo: indexes,
+            roleId: policy.roleId,
+        };
     }
-
-    return profile;
-  }
-
-  /**
-   * @override
-   */
-  async truncate (opts) {
-    try {
-      await super.truncate(opts);
+    // ============================================
+    // Every method described after are for testing purpose only
+    // Otherwise we cannot stub them
+    // ============================================
+    async toDTO(dto) {
+        return super.toDTO(dto);
     }
-    finally {
-      // always clear the RAM cache: even if truncate fails in the middle of it,
-      // some of the cached profiles might not be valid anymore
-      this.invalidate();
+    async deleteFromDatabase(id, options) {
+        return super.deleteFromDatabase(id, options);
     }
-  }
-
-  /**
-   * Invalidate the cache entries for the given profile. If none is provided,
-   * the entire cache is emptied.
-   * @param {string} [profileId]
-   */
-  invalidate (profileId) {
-    if (!profileId) {
-      this.profiles.clear();
+    async search(searchBody, options) {
+        return super.search(searchBody, options);
     }
-    else {
-      this.profiles.delete(profileId);
+    async scroll(id, ttl) {
+        return super.scroll(id, ttl);
     }
-  }
 }
-
-
-module.exports = ProfileRepository;
+exports.ProfileRepository = ProfileRepository;
+//# sourceMappingURL=profileRepository.js.map