API Gateway with Corules Policy Enforcement Middleware

Das Problem

Deploy Corules as middleware in your API gateway (AWS API Gateway, Kong, Azure APIM). Every request to business APIs (create refund, transfer funds, approve PO) is validated against policy before reaching the backend.

Einrichtungsschritte

1. 1

   Add a Corules Lambda Authorizer (AWS) or Plugin (Kong) to your API gateway

2. 2

   Configure the authorizer to extract actor identity from the Authorization header (JWT)

3. 3

   Map incoming request payload to Corules context schema in the authorizer configuration

4. 4

   The authorizer calls Corules Gate 2; ALLOW passes the request, BLOCK/ESCALATE returns 403/202 with policy reason

5. 5

   Log Corules audit_id as a response header for end-to-end correlation

Codebeispiel

// AWS Lambda Authorizer calling Corules
exports.handler = async (event) => {
  const token = event.authorizationToken.replace('Bearer ', '');
  const body = JSON.parse(event.requestBody || '{}');

  const result = await guardrail.validate({
    useCase: deriveUseCase(event.resource, event.httpMethod),
    actor: token,  // verified JWT
    context: extractContext(body),
    decision: extractDecision(body),
    correlationId: event.requestContext.requestId,
    idempotencyKey: event.headers['X-Idempotency-Key'],
  });

  if (result.outcome === 'ALLOW') {
    return generateAllow(token, { auditId: result.audit_id });
  } else if (result.outcome === 'ESCALATE') {
    return {
      statusCode: 202,
      body: JSON.stringify({
        message: 'Decision escalated for review',
        audit_id: result.audit_id,
      })
    };
  } else {
    return generateDeny(token, result.violations[0].explanation);
  }
};

Frequently Asked Questions