[PIDM-42] fix(payment-status): payment position/option status not coherent

[dylantangredi-bvt]

List of Changes

These changes are relevant in case the user pays the full amount for a payment position in presence of already paid installments/payment options:

• Fixed payment option status not changing from PO_UNPAID to PO_PAID
• Added detailed logs for this specific case, instead of throwing an exception that makes the db not coherent with the payment process on the node
• Fixed payment position status not changing from PARTIALLY_PAID to PAID
• Moved the exception handling from the /pay to the /get (activate) phase to prevent the issue

Motivation and Context

This is a hotfix that was necessary to make the db coherent with what the user experiences during checkout. Before the fix, if the user paid using a NAV corresponding to the full amount due for the payment position but one or more installment/payment options were already paid for the same payment position, then the payment option corresponding to the full amount did not change status from PO_UNPAID to PAID, causing a discrepancy in the process. This happened because the checkout ended correctly up to the receipt generation for the user payment, but in the backend a HttpStatus.CONFLICT, "Existing related payment found" was being thrown.

How Has This Been Tested?

Tested locally with Postman making the following use case:

• Create debt position with 4 payment options, option 1 being for the full amount and option 2/3/4 for the 3 installments
• Publish debt position
• Pay payment option 2 (corresponding to one installment)
• Get payment option 2 by NAV and check db status on the option (PO_PAID)
• Get payment option 1 by NAV (corresponding to the full amount) -> error 409
• Pay payment option 1 (corresponding to the full amount), skipping activate
• Retrieve payment option by NAV and check db status on the option -> PO_PAID and debtPositionStatus -> PAID

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.

[github-actions]

[google-java-format] _{reported by reviewdog 🐶}

pagopa-debt-position/src/main/java/it/gov/pagopa/debtposition/service/payments/PaymentsService.java

Lines 3 to 20 in c2e1437

	import java.time.LocalDate;
	import java.time.LocalDateTime;
	import java.time.ZoneOffset;
	import java.util.Collections;
	import java.util.Comparator;
	import java.util.List;
	import java.util.Objects;
	import java.util.Optional;
	import javax.validation.Valid;
	import javax.validation.constraints.NotBlank;
	import javax.validation.constraints.NotNull;
	import org.springframework.beans.factory.annotation.Autowired;
	import org.springframework.beans.factory.annotation.Value;
	import org.springframework.stereotype.Service;
	import org.springframework.transaction.annotation.Transactional;

[cap-ang]

Great,

How about preventing these cases by blocking the activation phase with a 409 if the activation is not related to an installment (payment option with isPartialPayment true)?

[github-actions]

[google-java-format] _{reported by reviewdog 🐶}

Suggested change

	return paymentOption;
	if (po.isEmpty()) {
	throw new AppException(AppError.PAYMENT_OPTION_NOT_FOUND, organizationFiscalCode, nav);

[github-actions]

[google-java-format] _{reported by reviewdog 🐶}

Suggested change

	}
	pp.setLastUpdatedDate(currentDate);
	// salvo l'aggiornamento del pagamento
	paymentPositionRepository.saveAndFlush(pp);
	return poToPay;
	}
	private Transfer updateTransferStatus(PaymentPosition pp, String iuv, String transferId) {
	LocalDateTime currentDate = LocalDateTime.now(ZoneOffset.UTC);
	long numberPOTransfers = 0;
	long countReportedTransfer = 0;
	Transfer reportedTransfer = null;
	for (PaymentOption po : pp.getPaymentOption()) {
	if (po.getIuv().equals(iuv)) {
	// numero totale dei transfer per la PO
	numberPOTransfers = po.getTransfer().stream().count();
	// numero dei transfer della PO in stato T_REPORTED
	countReportedTransfer =
	po.getTransfer().stream()
	.filter(t -> t.getStatus().equals(TransferStatus.T_REPORTED))
	.count();
	// recupero il transfer oggetto di rendicontazione
	Optional<Transfer> transferToReport =
	po.getTransfer().stream().filter(t -> t.getIdTransfer().equals(transferId)).findFirst();
	if (transferToReport.isEmpty()) {
	log.error(
	"Obtained unexpected empty transfer - "
	+ "[organizationFiscalCode= "
	+ pp.getOrganizationFiscalCode()
	+ "; "
	+ "iupd= "
	+ pp.getIupd()
	+ "; "
	+ "iuv= "
	+ iuv
	+ "; "
	+ "idTransfer= "
	+ transferId
	+ "]");
	throw new AppException(
	AppError.TRANSFER_REPORTING_FAILED, pp.getOrganizationFiscalCode(), iuv, transferId);
	}

[github-actions]

[google-java-format] _{reported by reviewdog 🐶}

Suggested change

	// aggiorno lo stato della payment position
	if (countPaidPartialPayment > 0 && countPaidPartialPayment < numberOfPartialPayment) {
	// PIDM-42 if paying the full amount when there is already a paid partial payment
	// then update the payment position status to PAID
	if (countPaidPartialPayment > 0 && countPaidPartialPayment < numberOfPartialPayment
	&& Boolean.TRUE.equals(Objects.requireNonNull(poToPay).getIsPartialPayment())) {
	pp.setStatus(DebtPositionStatus.PARTIALLY_PAID);
	transferToReport.get().setStatus(TransferStatus.T_REPORTED);
	transferToReport.get().setLastUpdatedDate(currentDate);
	countReportedTransfer++;
	// aggiorno lo stato della PO
	if (countReportedTransfer < numberPOTransfers) {
	po.setStatus(PaymentOptionStatus.PO_PARTIALLY_REPORTED);

[github-actions]

[google-java-format] _{reported by reviewdog 🐶}

Suggested change

	+ auxDigit
	+ "123456IUVMULTIPLEMOCK3")
	+ auxDigit
	+ "123456IUVMULTIPLEMOCK3")

[github-actions]

[google-java-format] _{reported by reviewdog 🐶}

pagopa-debt-position/src/main/java/it/gov/pagopa/debtposition/service/payments/PaymentsService.java

Lines 68 to 73 in 7aac4b2

	PaymentOption paymentOption = po.get();
	// Update PaymentPosition instance only in memory
	// PaymentPosition used when converting PaymentOption to POWithDebtor
	DebtPositionStatus.validityCheckAndUpdate(paymentOption);
	DebtPositionStatus.expirationCheckAndUpdate(paymentOption);
	DebtPositionStatus.checkAlreadyPaidInstallments(paymentOption, nav);

[github-actions]

[google-java-format] _{reported by reviewdog 🐶}

pagopa-debt-position/src/main/java/it/gov/pagopa/debtposition/service/payments/PaymentsService.java

Lines 244 to 245 in 7aac4b2

	pp.setStatus(DebtPositionStatus.PAID);
	pp.setPaymentDate(paymentOptionModel.getPaymentDate());

[dylantangredi-bvt]

Great,

How about preventing these cases by blocking the activation phase with a 409 if the activation is not related to an installment (payment option with isPartialPayment true)?

I assume you meant isPartialPayment false because that indicates the full amount payment (so not related to an installment). In this case it has been done with the latest commit

To fix the log injection issue, we need to sanitize the nav parameter before logging it. The best way to do this is to remove any potentially harmful characters from the nav parameter, such as new-line characters, which can be used to forge log entries. We can use a utility method to sanitize the input by replacing or removing such characters.

1. Create a utility method to sanitize the nav parameter by removing new-line characters and other potentially harmful characters.
2. Use this utility method to sanitize the nav parameter before logging it in the DebtPositionValidation class.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
88.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud