perf(tags): watson-style auto-flushing tag inheritance context

Replaces the dumb suppression flag with a watson-inspired registrar
context manager. Signal handlers register touched instances into the
active context; the context auto-flushes on exit (and on explicit
mid-batch flush). Removes the manual `flush_for_product` orchestration
the importers used to call after the suppression block.

`TagInheritanceContext`:
  - `add(instance)`: register an instance for bulk-sync (no-op when
    inheritance is disabled for that instance's product, so the bulk
    path stays cheap on inheritance-off products).
  - `flush()`: drain registered instances, group by (model, product),
    run one bulk diff per group via the existing
    `_sync_inheritance_for_qs` helper. Locations route through the
    `_build_location_target_names_map` precompute.
  - System-wide inheritance flag is read from the DB once per context
    and cached; per-product flags read off the in-memory product.

Signal hookup (`tags_signals.py`):
  - `make_inherited_tags_sticky` (m2m_changed): when active context
    exists, `ctx.add(instance)` and return — no per-row work.
  - `inherit_tags_on_instance` (post_save, created=True): same pattern.
  - `inherit_tags_on_linked_instance` (post_save on
    LocationFinding/LocationProductReference): registers the underlying
    Location.

Importer / reimporter:
  - `with tag_inheritance.batch() as tag_ctx:` opens the context.
  - Mid-loop: `ctx.flush()` runs before each per-batch
    `post_process_findings_batch` dispatch so JIRA labels reflect
    inherited tags on first push.
  - On context exit: auto-flush handles end-of-import sync (closed
    findings, test/engagement saves, apply_import_tags). Drops the
    explicit `tag_inheritance.flush_for_product(...)` calls.

Query-count impact:
  - ZAP scan import V2:        1006 -> 1057 (+51) — extra context bookkeeping
  - ZAP scan import V3:        947 -> 997 (+50)
  - ZAP reimport (no change V2):  82 -> 69  (-13) — registrar skips no-op
  - ZAP reimport (no change V3): 103 -> 87  (-16)
  - test_importers_performance: unchanged (inheritance off → no register)

Net: import path slightly heavier in exchange for correct JIRA
labelling on first push and a much cleaner orchestration model. The
import-path overhead is constant per import (not per finding); follow-
up commits can trim it.

Author: valentijnscholten

dojo/importers/default_importer.py

@@ -115,12 +115,12 @@ def process_scan(
         # Note: for fresh imports, parse_findings() calls create_test() internally,
         # so self.test is guaranteed to be set after this call.
         parsed_findings = self.parse_findings(scan, parser) or []
-        # Suppress per-row tag-inheritance signal work during the import hot
-        # loop. Inheritance is applied in bulk after the batch via
-        # `tag_inheritance.flush_for_product` (see below). This replaces the
-        # per-finding `_manage_inherited_tags` signal cascade with a single
-        # `propagate_tags_on_product_sync` pass.
-        with tag_inheritance.batch():
+        # Open a tag-inheritance context. Signal handlers register touched
+        # instances into the context; the context auto-flushes (bulk-applies
+        # inherited tags) on exit. Mid-context `ctx.flush()` calls drain the
+        # accumulated set early — used before per-batch post-process dispatch
+        # so JIRA labels reflect the full tag state on first push.
+        with tag_inheritance.batch() as tag_ctx:
             new_findings = self.process_findings(parsed_findings, **kwargs)
             # Close any old findings in the processed list if the the user specified for that
             # to occur in the form that is then passed to the kwargs
@@ -144,10 +144,7 @@ def process_scan(
                 new_findings=new_findings,
                 closed_findings=closed_findings,
             )
-        # Flush inherited tags in bulk for all children of the product touched
-        # by this import. Idempotent and cheap when tag inheritance is
-        # disabled (it short-circuits on the system + per-product flags).
-        tag_inheritance.flush_for_product(self.test.engagement.product)
+        # Inheritance auto-flushes on context exit above.
         # Send out some notifications to the user
         logger.debug("IMPORT_SCAN: Generating notifications")
         dojo_dispatch_task(
@@ -280,6 +277,11 @@ def process_findings(
                 findings_with_parser_tags.clear()
                 finding_ids_batch = list(batch_finding_ids)
                 batch_finding_ids.clear()
+                # Drain the inheritance context BEFORE dispatching post-process
+                # so the JIRA push inside that task sees inherited tags on the
+                # findings (otherwise inheritance lands later, on context exit).
+                if (ctx := tag_inheritance.current()) is not None:
+                    ctx.flush()
                 logger.debug("process_findings: dispatching batch with push_to_jira=%s (batch_size=%d, is_final=%s)",
                              push_to_jira, len(finding_ids_batch), is_final_finding)
                 dojo_dispatch_task(

dojo/importers/default_reimporter.py

@@ -108,11 +108,10 @@ def process_scan(
         # Get the findings from the parser based on what methods the parser supplies
         # This could either mean traditional file parsing, or API pull parsing
         parsed_findings = self.parse_findings(scan, parser) or []
-        # Suppress per-row tag-inheritance signal work during the reimport
-        # hot loop. Inheritance is applied in bulk after the batch via
-        # `tag_inheritance.flush_for_product`. See default_importer for the
-        # rationale.
-        with tag_inheritance.batch():
+        # Open a tag-inheritance context (auto-flushes on exit). Signals
+        # register touched instances; `ctx.flush()` mid-loop drains them
+        # before each post-process dispatch so JIRA labels are correct.
+        with tag_inheritance.batch() as tag_ctx:
             (
                 new_findings,
                 reactivated_findings,
@@ -150,9 +149,7 @@ def process_scan(
                 reactivated_findings=reactivated_findings,
                 untouched_findings=untouched_findings,
             )
-        # Bulk-apply tag inheritance for all children of the product touched
-        # by this reimport.
-        tag_inheritance.flush_for_product(self.test.engagement.product)
+        # Inheritance auto-flushes on context exit above.
         # Send out som notifications to the user
         logger.debug("REIMPORT_SCAN: Generating notifications")
         updated_count = (
@@ -436,6 +433,11 @@ def process_findings(
                         findings_with_parser_tags.clear()
                         finding_ids_batch = list(batch_finding_ids)
                         batch_finding_ids.clear()
+                        # Drain the inheritance context BEFORE dispatching
+                        # post-process so the JIRA push inside that task sees
+                        # inherited tags on the findings.
+                        if (ctx := tag_inheritance.current()) is not None:
+                            ctx.flush()
                         dojo_dispatch_task(
                             finding_helper.post_process_findings_batch,
                             finding_ids_batch,

dojo/tag_inheritance.py

@@ -1,80 +1,174 @@
 """
-Tag inheritance — central coordination module.
-
-Provides a thread-local ``batch()`` context manager that suppresses
-per-instance inheritance work driven by ``m2m_changed`` and ``post_save``
-signals. While inside a batch, the signal handlers in
-``dojo/tags_signals.py`` early-return; the calling code is responsible for
-applying inheritance in bulk (e.g. via the importer's existing
-``_bulk_inherit_tags`` path or ``propagate_tags_on_product_sync``).
-
-This replaces the previous pattern of ``signals.m2m_changed.disconnect(...)``
-in importer hot loops, which was process-global and unsafe under threaded
-gunicorn / Celery thread pools / ASGI threadpools (see PR description for
-the full rationale).
+Tag inheritance — watson-style context manager.
+
+Pattern mirrors `watson.search.SearchContextManager`: signal handlers
+register touched instances into the active context instead of running
+per-row inheritance work; the context flushes them in bulk on
+``flush()`` (called explicitly mid-batch) and on context exit.
+
+Usage:
+    with tag_inheritance.batch() as ctx:
+        # bulk operations create/modify many instances
+        ...
+        ctx.flush()  # optional, mid-batch sync (e.g. before JIRA push)
+        ...
+    # auto-flushes on outermost exit
+
+The context lives in ``threading.local``, so concurrent threads (and
+Celery workers in non-prefork pools) are unaffected by other threads'
+batches.
 """
 from __future__ import annotations
 
-import contextlib
+import logging
 import threading
+from collections import defaultdict
 from contextlib import contextmanager
 
+logger = logging.getLogger(__name__)
+
 _state = threading.local()
 
 
+class TagInheritanceContext:
+
+    """
+    Per-thread registrar for instances whose inherited tags need
+    re-syncing in bulk. Touched instances are grouped by model class;
+    ``flush()`` runs one bulk diff per (model, product) group via the
+    existing ``_sync_inheritance_for_qs`` helper.
+    """
+
+    def __init__(self):
+        self._depth = 0
+        # model_class -> set of instance pks
+        self._touched: dict[type, set[int]] = defaultdict(set)
+        # System-wide inheritance flag is read from the DB and cached for
+        # the lifetime of the context. Per-product flags are read directly
+        # off the in-memory product instance.
+        self._system_inheritance: bool | None = None
+
+    def is_active(self) -> bool:
+        return self._depth > 0
+
+    def system_inheritance_enabled(self) -> bool:
+        if self._system_inheritance is None:
+            from dojo.utils import get_system_setting  # noqa: PLC0415
+            self._system_inheritance = bool(get_system_setting("enable_product_tag_inheritance"))
+        return self._system_inheritance
+
+    def is_inheritance_enabled_for(self, instance) -> bool:
+        """
+        True when the given instance is under at least one product whose
+        inheritance is enabled (per-product flag or system-wide).
+        """
+        from dojo.tags_signals import get_products  # noqa: PLC0415
+        products = get_products(instance)
+        if any(getattr(p, "enable_product_tag_inheritance", False) for p in products if p):
+            return True
+        return self.system_inheritance_enabled()
+
+    def add(self, instance) -> None:
+        """
+        Register an instance for bulk-sync at next flush. No-op when
+        inheritance is disabled for this instance, so the bulk path stays
+        cheap on inheritance-off products.
+        """
+        if instance is None or getattr(instance, "pk", None) is None:
+            return
+        if not self.is_inheritance_enabled_for(instance):
+            return
+        self._touched[type(instance)].add(instance.pk)
+
+    def flush(self) -> None:
+        """
+        Bulk-sync inherited tags for every registered instance, then
+        clear the registry. Idempotent and cheap when nothing was
+        touched.
+        """
+        if not self._touched:
+            return
+        # Local imports to avoid circulars at module import time.
+        from dojo.location.models import Location  # noqa: PLC0415
+        from dojo.product.helpers import (  # noqa: PLC0415
+            _build_location_target_names_map,
+            _sync_inheritance_for_qs,
+        )
+        from dojo.tags_signals import get_products  # noqa: PLC0415
+
+        touched, self._touched = self._touched, defaultdict(set)
+
+        for model_class, pks in touched.items():
+            if not pks:
+                continue
+            queryset = model_class.objects.filter(pk__in=pks)
+            if model_class is Location:
+                # Location target = union of related products' tags. Use
+                # the bulk precompute helper.
+                target_map = _build_location_target_names_map(list(pks))
+                _sync_inheritance_for_qs(
+                    queryset,
+                    target_names_per_child=lambda loc, _m=target_map: _m.get(loc.pk, set()),
+                )
+            else:
+                # All other children belong to one product (Finding via
+                # test, Endpoint via product, etc.). Group by product so
+                # each group gets one target name set.
+                instances = list(queryset)
+                by_product: dict[int, list] = defaultdict(list)
+                product_by_id: dict[int, object] = {}
+                for inst in instances:
+                    products = get_products(inst)
+                    for product in products:
+                        if product is None:
+                            continue
+                        by_product[product.id].append(inst)
+                        product_by_id[product.id] = product
+                for product_id, group in by_product.items():
+                    product = product_by_id[product_id]
+                    target_names = {tag.name for tag in product.tags.all()}
+                    _sync_inheritance_for_qs(
+                        group,
+                        target_names_per_child=lambda _c, _t=target_names: _t,
+                    )
+
+
+def current() -> TagInheritanceContext | None:
+    """Return the active context for this thread, if any."""
+    return getattr(_state, "ctx", None)
+
+
 def is_in_batch() -> bool:
     """Return True when the current thread is inside an active ``batch()``."""
-    return bool(getattr(_state, "depth", 0))
+    ctx = current()
+    return ctx is not None and ctx.is_active()
 
 
 @contextmanager
 def batch():
     """
-    Suppress per-instance inheritance signals for the calling thread.
-
-    Usage:
-        with tag_inheritance.batch():
-            # Bulk operations that would otherwise fire `make_inherited_tags_sticky`
-            # or `inherit_tags_on_instance` per row.
-            ...
-        # After exit, callers should explicitly bulk-apply inheritance via
-        # `propagate_tags_on_product_sync(product)` (or equivalent) for any
-        # product whose children were created/modified inside the batch.
-
-    The context is reentrant; nested ``with`` blocks share the suppression
-    until the outermost block exits. State lives in ``threading.local()``,
-    so concurrent threads (and Celery workers in non-prefork pools) are
-    unaffected by other threads' batches.
-    """
-    _state.depth = getattr(_state, "depth", 0) + 1
-    try:
-        yield
-    finally:
-        _state.depth -= 1
-        if _state.depth <= 0:
-            # Clean up the attribute so leak-free thread reuse stays simple.
-            with contextlib.suppress(AttributeError):
-                del _state.depth
+    Open a tag-inheritance context for the calling thread.
 
+    Inside the context, signal handlers register touched instances
+    instead of running per-row inheritance. On exit, the context
+    auto-flushes (bulk-applies inheritance for every touched instance).
 
-def flush_for_product(product) -> None:
+    Reentrant: nested ``with`` blocks share the context until the
+    outermost block exits.
     """
-    Bulk-apply tag inheritance to all children of `product`.
-
-    Intended to be called after a ``batch()`` block exits, when the calling
-    code has created/modified many children of one product and the
-    per-instance signal handlers were suppressed. Delegates to
-    ``propagate_tags_on_product_sync``, which uses the Phase A bulk-diff
-    helpers to sync `inherited_tags` and `tags` across all children in O(1)
-    queries per (model x tag) instead of O(N) rows.
-
-    Short-circuits when tag inheritance is disabled (neither the system-wide
-    flag nor the per-product flag is set) so callers (e.g. importers) can
-    invoke this unconditionally without paying for it.
-    """
-    # Local imports to avoid circulars at module import time.
-    from dojo.product.helpers import propagate_tags_on_product_sync  # noqa: PLC0415
-    from dojo.utils import get_system_setting  # noqa: PLC0415
-    if not getattr(product, "enable_product_tag_inheritance", False) and not get_system_setting("enable_product_tag_inheritance"):
-        return
-    propagate_tags_on_product_sync(product)
+    ctx = getattr(_state, "ctx", None)
+    owner = ctx is None
+    if owner:
+        ctx = TagInheritanceContext()
+        _state.ctx = ctx
+    ctx._depth += 1
+    try:
+        yield ctx
+    finally:
+        ctx._depth -= 1
+        if ctx._depth <= 0:
+            try:
+                ctx.flush()
+            finally:
+                if owner:
+                    del _state.ctx

dojo/tags_signals.py

@@ -33,17 +33,18 @@ def product_tags_post_add_remove(sender, instance, action, **kwargs):
 @receiver(signals.m2m_changed, sender=Location.tags.through)
 def make_inherited_tags_sticky(sender, instance, action, **kwargs):
     """Make sure inherited tags are added back in if they are removed"""
-    # Inside a `tag_inheritance.batch()` block the caller takes responsibility
-    # for applying inheritance in bulk; per-row signal work would defeat the
-    # purpose. This replaces the old `signals.m2m_changed.disconnect(...)`
-    # pattern, which was process-global and unsafe under threaded workers.
-    if tag_inheritance.is_in_batch():
+    if action not in {"post_add", "post_remove"}:
         return
-    if action in {"post_add", "post_remove"}:
-        if inherit_product_tags(instance):
-            tag_list = [tag.name for tag in instance.tags.all()]
-            if propagate_inheritance(instance, tag_list=tag_list):
-                instance.inherit_tags(tag_list)
+    # Inside a `tag_inheritance.batch()` context, register the instance
+    # for bulk-sync at flush/exit instead of running per-row inheritance.
+    ctx = tag_inheritance.current()
+    if ctx is not None and ctx.is_active():
+        ctx.add(instance)
+        return
+    if inherit_product_tags(instance):
+        tag_list = [tag.name for tag in instance.tags.all()]
+        if propagate_inheritance(instance, tag_list=tag_list):
+            instance.inherit_tags(tag_list)
 
 
 def inherit_instance_tags(instance):
@@ -72,18 +73,23 @@ def inherit_tags_on_instance(sender, instance, created, **kwargs):
     # tag edits is handled by `make_inherited_tags_sticky` (m2m_changed).
     if not created:
         return
-    # Inside a `tag_inheritance.batch()` block the caller takes responsibility
-    # for applying inheritance in bulk after exit (typically via
-    # `tag_inheritance.flush_for_product`).
-    if tag_inheritance.is_in_batch():
+    # Inside a `tag_inheritance.batch()` context, register the new instance
+    # for bulk-sync at flush/exit instead of running per-row inheritance.
+    ctx = tag_inheritance.current()
+    if ctx is not None and ctx.is_active():
+        ctx.add(instance)
         return
     inherit_instance_tags(instance)
 
 
 @receiver(signals.post_save, sender=LocationFindingReference)
 @receiver(signals.post_save, sender=LocationProductReference)
 def inherit_tags_on_linked_instance(sender, instance, created, **kwargs):
-    if tag_inheritance.is_in_batch():
+    # Linked refs (LocationFinding/LocationProductReference) bind a Location
+    # to a Finding/Product. Register the underlying Location for bulk-sync.
+    ctx = tag_inheritance.current()
+    if ctx is not None and ctx.is_active():
+        ctx.add(instance.location)
         return
     inherit_linked_instance_tags(instance)
 

unittests/test_tag_inheritance_perf.py

@@ -510,7 +510,7 @@ def test_baseline_zap_scan_reimport_no_change_v3(self):
     # rises because flush always runs; bulk re-merge has a fixed cost even
     # when there's no work. Stages 3+4+5 (drop duplicate inherited_tags M2M)
     # will collapse the reimport cost.
-    EXPECTED_ZAP_IMPORT_V2 = 1006
-    EXPECTED_ZAP_IMPORT_V3 = 947
-    EXPECTED_ZAP_REIMPORT_NO_CHANGE_V2 = 82
-    EXPECTED_ZAP_REIMPORT_NO_CHANGE_V3 = 103
+    EXPECTED_ZAP_IMPORT_V2 = 1057
+    EXPECTED_ZAP_IMPORT_V3 = 997
+    EXPECTED_ZAP_REIMPORT_NO_CHANGE_V2 = 69
+    EXPECTED_ZAP_REIMPORT_NO_CHANGE_V3 = 87