Limit audit events controller to 31 days date range

alerts and response with bad request
when date range is greater than 31 days for
audit event controllers (instance, group, project)

Changelog: fixed
EE: true

ee/app/controllers/concerns/audit_events/date_range.rb

@@ -4,15 +4,30 @@ module AuditEvents
   module DateRange
     extend ActiveSupport::Concern
 
+    DATE_RANGE_LIMIT = 31
+
     included do
-      before_action :set_date_range, only: [:index]
+      before_action :set_date_range, :validate_date_range, only: [:index]
     end
 
     private
 
     def set_date_range
-      params[:created_before] = params[:created_before].nil? ? Date.current.end_of_day : Date.parse(params[:created_before]).end_of_day
-      params[:created_after] = Date.current.beginning_of_month unless params[:created_after]
+      params[:created_before] = params[:created_before].blank? ? Date.current.end_of_day : Date.parse(params[:created_before]).end_of_day
+      params[:created_after] = Date.current.beginning_of_month unless params[:created_after].present?
+    end
+
+    def validate_date_range
+      return unless (params[:created_before].to_date - params[:created_after].to_date).days > DATE_RANGE_LIMIT.days
+
+      message = _('Date range limited to %{number} days') % { number: DATE_RANGE_LIMIT }
+      respond_to do |format|
+        format.html do
+          flash[:alert] = message
+          render status: :bad_request
+        end
+        format.any { head :bad_request }
+      end
     end
   end
 end

ee/spec/controllers/admin/audit_logs_controller_spec.rb

@@ -63,6 +63,12 @@ RSpec.describe Admin::AuditLogsController do
           end
         end
       end
+
+      context 'when date range is greater than limit' do
+        subject { get :index, params: { 'created_before': created_before, 'created_after': created_after } }
+
+        it_behaves_like 'a date range error is returned'
+      end
     end
 
     context 'by user' do

ee/spec/controllers/groups/audit_events_controller_spec.rb

@@ -150,6 +150,12 @@ RSpec.describe Groups::AuditEventsController do
           end
         end
       end
+
+      context 'when date range is greater than limit' do
+        subject { get :index, params: { group_id: group.to_param, 'created_before': created_before, 'created_after': created_after } }
+
+        it_behaves_like 'a date range error is returned'
+      end
     end
 
     context 'when authorized owner' do

ee/spec/controllers/projects/audit_events_controller_spec.rb

@@ -126,6 +126,12 @@ RSpec.describe Projects::AuditEventsController do
           end
         end
       end
+
+      context 'when date range is greater than limit' do
+        subject { get :index, params: { project_id: project.to_param, namespace_id: project.namespace.to_param, 'created_before': created_before, 'created_after': created_after } }
+
+        it_behaves_like 'a date range error is returned'
+      end
     end
 
     shared_examples 'pagination' do

ee/spec/support/shared_examples/controllers/date_range_validation_shared_examples.rb

+# frozen_string_literal: true
+
+RSpec.shared_examples 'a date range error is returned' do
+  using RSpec::Parameterized::TableSyntax
+
+  where(:created_after, :created_before) do
+    '2021-01-01' | '2021-02-02'
+    '2022-01-31' | nil
+  end
+  with_them do
+    it 'returns an error' do
+      subject
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+      expect(flash[:alert]).to eq 'Date range limited to 31 days'
+    end
+  end
+end