Add entry endpoint to handle users from Signon

We've got a bit of a problem at the moment with users arriving to Chat
from Signon. Consider the following user groups:

- GOV.UK AI Team users who have access to the Admin Interface and want to
use it for monitoring and evaluation purposes. Generally, these users
will not have the 'web-chat' permission and will be unable to access the
Chat Interface.
- Departmental users who don't have access to the Admin Interface, but
do have the 'web-chat' permission and want to test Chat.

Both of these users will often, particularly the first time they arrive, use
the link to the application in Signon[1].

The link currently points to the Admin UI, which is confusing for departmental
users who may not know how to amend the url to get to the Chat Interface.

Ideally, we shouldn't have to either:

- Update it to point to the Chat Interface and have to let internal users
know how to get to the Admin Interface, or
- Point it to the Admin Interface and have to let departmental users know
how to get to the Chat Interface.

To get round this, we're going to add a new endpoint that we will link
to from Signon. This endpoint will check the current_users permissisions and:

- Redirect them to the Admin Interface if the have the 'admin-area' permission
- Redirect them to the Chat Interface if they have the 'web-chat' permission
- Prioritise the Admin Interface if they have both permissions
- Render the forbidden page if they have neither permission

The EntryController inherits from the BaseController which already handles
user authentication, so we can be sure that the user is signed in when
they hit this endpoint.

I've skipped the authorise_web_user! and check_chat_web_access before
actions. The reason for this is:

- authorise_web_user!: We don't want this to run before the action as it
would return a 403 for a user who has the 'admin-area' permission but
doesn't have the 'web-chat' permission. As mentioned above, if a user
doesn't have either permission then this endpoint will return a 403
forbidden response after checking permissions.

- check_chat_web_access: We only want to check that the Settings web chat
access is enabled and render the downtime page if the user has the 'web-chat'
permission and doesn't have the 'admin-area' permission. Due to this,
i've called it within the conditional that is only reached after we've
established that the user doesn't have the 'admin-area' permission but
does have the 'web-chat' permission.

[1]: https://signon.publishing.service.gov.uk/doorkeeper_applications/9615/edit

Author: davidgisbey

app/controllers/entry_controller.rb

@@ -0,0 +1,16 @@
+class EntryController < BaseController
+  skip_before_action :authorise_web_user
+  skip_before_action :check_chat_web_access
+
+  def index
+    if current_user.has_permission?(SignonUser::Permissions::ADMIN_AREA)
+      redirect_to admin_homepage_path
+    elsif current_user.has_permission?(SignonUser::Permissions::WEB_CHAT)
+      unless check_chat_web_access
+        redirect_to homepage_path
+      end
+    else
+      render "errors/forbidden", status: :forbidden
+    end
+  end
+end

config/routes.rb

@@ -22,6 +22,7 @@
 
   scope :chat, format: false, defaults: { format: "html" }, constraints: html_constraint do
     get "", to: "homepage#index", as: :homepage
+    get "/entry", to: "entry#index", as: :entry
 
     scope :conversation do
       get "", to: "conversations#show", as: :show_conversation

spec/requests/entry_spec.rb

@@ -0,0 +1,57 @@
+RSpec.describe "EntryController" do
+  describe "GET :index" do
+    it "redirects users with the 'admin-area' permission to the Admin UI" do
+      login_as(create(:signon_user, :admin))
+      get entry_path
+
+      expect(response).to have_http_status(:redirect)
+      expect(response).to redirect_to(admin_homepage_path)
+    end
+
+    it "redirects users with the 'web-chat' permission to the homepage" do
+      login_as(create(:signon_user, :web_chat))
+      get entry_path
+
+      expect(response).to have_http_status(:redirect)
+      expect(response).to redirect_to(homepage_path)
+    end
+
+    it "redirects users with both 'admin-area' and 'web-chat' permissions to the Admin UI" do
+      login_as(create(:signon_user, permissions: %w[admin-area web-chat]))
+
+      get entry_path
+
+      expect(response).to have_http_status(:redirect)
+      expect(response).to redirect_to(admin_homepage_path)
+    end
+
+    it "renders forbidden for users without the 'admin-area' or 'web-chat' permissions" do
+      login_as(create(:signon_user))
+      get entry_path
+      expect(response).to have_http_status(:forbidden)
+    end
+
+    context "when web access is disabled" do
+      before { create(:settings, web_access_enabled: false) }
+
+      it "redirects users with the 'admin-area' permission to the Admin UI" do
+        login_as(create(:signon_user, :admin))
+
+        get entry_path
+
+        expect(response).to have_http_status(:redirect)
+        expect(response).to redirect_to(admin_homepage_path)
+      end
+
+      it "renders the downtime page for non-admin users with the 'web-chat' permission" do
+        login_as(create(:signon_user, :web_chat))
+
+        get entry_path
+
+        expect(response).to have_http_status(:service_unavailable)
+        expect(response.body)
+          .to have_content("GOV.UK Chat is not currently available")
+      end
+    end
+  end
+end