[SecurityBundle] Do not replace authenticators service by their traceable version

Author: MatTheCat

DependencyInjection/SecurityExtension.php

@@ -643,11 +643,13 @@ private function createAuthenticationListeners(ContainerBuilder $container, stri
         }
 
         if ($container->hasDefinition('debug.security.firewall')) {
-            foreach ($authenticationProviders as $authenticatorId) {
-                $container->register('debug.'.$authenticatorId, TraceableAuthenticator::class)
-                    ->setDecoratedService($authenticatorId)
-                    ->setArguments([new Reference('debug.'.$authenticatorId.'.inner')])
+            foreach ($authenticationProviders as &$authenticatorId) {
+                $traceableId = 'debug.'.$authenticatorId;
+                $container
+                    ->register($traceableId, TraceableAuthenticator::class)
+                    ->setArguments([new Reference($authenticatorId)])
                 ;
+                $authenticatorId = $traceableId;
             }
         }
 

Tests/DependencyInjection/SecurityExtensionTest.php

@@ -20,7 +20,9 @@
 use Symfony\Component\Config\Definition\Builder\NodeDefinition;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
+use Symfony\Component\DependencyInjection\Compiler\DecoratorServicePass;
 use Symfony\Component\DependencyInjection\Compiler\ResolveChildDefinitionsPass;
+use Symfony\Component\DependencyInjection\Compiler\ResolveReferencesToAliasesPass;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\ExpressionLanguage\Expression;
@@ -900,6 +902,30 @@ public function testCustomHasherWithMigrateFrom()
         ]);
     }
 
+    public function testAuthenticatorsDecoration()
+    {
+        $container = $this->getRawContainer();
+        $container->setParameter('kernel.debug', true);
+        $container->getCompilerPassConfig()->setOptimizationPasses([
+            new ResolveChildDefinitionsPass(),
+            new DecoratorServicePass(),
+            new ResolveReferencesToAliasesPass(),
+        ]);
+
+        $container->register(TestAuthenticator::class);
+        $container->loadFromExtension('security', [
+            'firewalls' => ['main' => ['custom_authenticator' => TestAuthenticator::class]],
+        ]);
+        $container->compile();
+
+        /** @var Reference[] $managerAuthenticators */
+        $managerAuthenticators = $container->getDefinition('security.authenticator.manager.main')->getArgument(0);
+        $this->assertCount(1, $managerAuthenticators);
+        $this->assertSame('debug.'.TestAuthenticator::class, (string) reset($managerAuthenticators), 'AuthenticatorManager must be injected traceable authenticators in debug mode.');
+
+        $this->assertTrue($container->hasDefinition(TestAuthenticator::class), 'Original authenticator must still exist in the container so it can be used outside of the AuthenticatorManager’s context.');
+    }
+
     protected function getRawContainer()
     {
         $container = new ContainerBuilder();