Merge branch '276250-log-approved-members-in-audit-events' into 'master'

Generate audit event after new user is approved

See merge request gitlab-org/gitlab!47468

app/services/users/approve_service.rb

@@ -17,6 +17,7 @@ module Users
         user.accept_pending_invitations! if user.active_for_authentication?
         DeviseMailer.user_admin_approval(user).deliver_later
 
+        after_approve_hook(user)
         success
       else
         error(user.errors.full_messages.uniq.join('. '))
@@ -27,6 +28,10 @@ module Users
 
     attr_reader :current_user
 
+    def after_approve_hook(user)
+      # overridden by EE module
+    end
+
     def allowed?
       can?(current_user, :approve_user)
     end
@@ -36,3 +41,5 @@ module Users
     end
   end
 end
+
+Users::ApproveService.prepend_if_ee('EE::Users::ApproveService')

doc/administration/audit_events.md

@@ -99,6 +99,7 @@ From there, you can see the following actions:
 - Number of required approvals was updated ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7531) in GitLab 12.9)
 - Added or removed users and groups from project approval groups ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213603) in GitLab 13.2)
 - Project CI/CD variable added, removed, or protected status changed ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/30857) in GitLab 13.4)
+- User was approved via Admin Area ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276250) in GitLab 13.6)
 
 Project events can also be accessed via the [Project Audit Events API](../api/audit_events.md#project-audit-events).
 

ee/app/services/ee/users/approve_service.rb

+# frozen_string_literal: true
+
+module EE
+  module Users
+    module ApproveService
+      extend ::Gitlab::Utils::Override
+
+      override :after_approve_hook
+      def after_approve_hook(user)
+        super
+
+        log_audit_event(user)
+      end
+
+      private
+
+      def log_audit_event(user)
+        ::AuditEventService.new(
+          current_user,
+          user,
+          action: :custom,
+          custom_message: 'Approved user'
+        ).for_user.security_event
+      end
+    end
+  end
+end

ee/changelogs/unreleased/276250-log-approved-members-in-audit-events.yml

+---
+title: Generate audit event after new user is approved
+merge_request: 47468
+author:
+type: added

ee/spec/services/ee/users/approve_service_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Users::ApproveService do
+  let(:current_user) { create(:admin) }
+
+  subject(:service) { described_class.new(current_user) }
+
+  describe '#execute', :enable_admin_mode do
+    let(:user) { create(:user, :blocked_pending_approval) }
+
+    subject(:operation) { service.execute(user) }
+
+    describe 'audit events' do
+      context 'when licensed' do
+        before do
+          stub_licensed_features(admin_audit_log: true)
+        end
+
+        context 'when user approve operation succeeds' do
+          it 'logs an audit event' do
+            expect { operation }.to change { AuditEvent.count }.by(1)
+          end
+
+          it 'logs the audit event info' do
+            operation
+
+            expect(AuditEvent.last).to have_attributes(
+              details: hash_including(custom_message: 'Approved user')
+            )
+          end
+        end
+
+        context 'when user approve operation fails' do
+          before do
+            allow(user).to receive(:activate).and_return(false)
+          end
+
+          it 'does not log any audit event' do
+            expect { operation }.not_to change { AuditEvent.count }
+          end
+        end
+      end
+
+      context 'when not licensed' do
+        before do
+          stub_licensed_features(
+            admin_audit_log: false
+          )
+        end
+
+        it 'does not log any audit event' do
+          expect { operation }.not_to change(AuditEvent, :count)
+        end
+      end
+    end
+  end
+end