Generate audit event after new user is approved

If the instance requires approval of the admin for new sign ups then a
new Audit event will be generated after the admin has approved the new
user.

app/services/users/approve_service.rb

@@ -16,6 +16,7 @@ module Users
         user.resend_confirmation_instructions
         user.accept_pending_invitations! if user.active_for_authentication?
 
+        after_approve_hook(user)
         success
       else
         error(user.errors.full_messages.uniq.join('. '))
@@ -26,6 +27,10 @@ module Users
 
     attr_reader :current_user
 
+    def after_approve_hook(user)
+      # overridden by EE module
+    end
+
     def allowed?
       can?(current_user, :approve_user)
     end
@@ -35,3 +40,5 @@ module Users
     end
   end
 end
+
+Users::ApproveService.prepend_if_ee('EE::Users::ApproveService')

ee/app/services/ee/users/approve_service.rb

+# frozen_string_literal: true
+
+module EE
+  module Users
+    module ApproveService
+      extend ::Gitlab::Utils::Override
+
+      override :after_approve_hook
+      def after_approve_hook(user)
+        super
+
+        log_audit_event(user)
+      end
+
+      private
+
+      def log_audit_event(user)
+        ::AuditEventService.new(
+          current_user,
+          user,
+          action: :custom,
+          custom_message: 'Approved user'
+        ).for_user.security_event
+      end
+    end
+  end
+end

ee/spec/services/ee/users/approve_service_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Users::ApproveService do
+  let(:current_user) { create(:admin) }
+
+  subject(:service) { described_class.new(current_user) }
+
+  describe '#execute', :enable_admin_mode do
+    let(:user) { create(:user, :blocked_pending_approval) }
+
+    subject(:operation) { service.execute(user) }
+
+    describe 'audit events' do
+      context 'when licensed' do
+        before do
+          stub_licensed_features(admin_audit_log: true)
+        end
+
+        context 'when user approve operation succeeds' do
+          it 'logs an audit event' do
+            expect { operation }.to change { AuditEvent.count }.by(1)
+          end
+
+          it 'logs the audit event info' do
+            operation
+
+            expect(AuditEvent.last).to have_attributes(
+              details: hash_including(custom_message: 'Approved user')
+            )
+          end
+        end
+
+        context 'when user approve operation fails' do
+          before do
+            allow(user).to receive(:activate).and_return(false)
+          end
+
+          it 'does not log any audit event' do
+            expect { operation }.not_to change { AuditEvent.count }
+          end
+        end
+      end
+
+      context 'when not licensed' do
+        before do
+          stub_licensed_features(
+            admin_audit_log: false,
+            audit_events: false,
+            extended_audit_events: false
+          )
+        end
+
+        it 'does not log any audit event' do
+          expect { operation }.not_to change(AuditEvent, :count)
+        end
+      end
+    end
+  end
+end