From db39515d60adaa530086c2bf790d1a5bb151fa6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Serta=C3=A7=20=C3=96zercan?=
 <852750+sozercan@users.noreply.github.com>
Date: Thu, 9 Apr 2026 12:39:18 -0700
Subject: [PATCH] rego: propagate external_data provider failures as query
 errors

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
---
 constraint/pkg/client/drivers/rego/builtin.go       |  7 +++----
 .../pkg/client/drivers/rego/driver_unit_test.go     | 13 ++++++++-----
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/constraint/pkg/client/drivers/rego/builtin.go b/constraint/pkg/client/drivers/rego/builtin.go
index 12891c687..961636193 100644
--- a/constraint/pkg/client/drivers/rego/builtin.go
+++ b/constraint/pkg/client/drivers/rego/builtin.go
@@ -1,7 +1,6 @@
 package rego
 
 import (
-	"net/http"
 	"time"
 
 	"github.com/open-policy-agent/opa/v1/ast"
@@ -64,17 +63,17 @@ func externalDataBuiltin(d *Driver) func(bctx rego.BuiltinContext, regorequest *
 		if len(providerRequestKeys) > 0 {
 			provider, err := d.providerCache.Get(regoReq.ProviderName)
 			if err != nil {
-				return externaldata.HandleError(http.StatusBadRequest, err)
+				return nil, err
 			}
 
 			clientCert, err := d.getTLSCertificate()
 			if err != nil {
-				return externaldata.HandleError(http.StatusBadRequest, err)
+				return nil, err
 			}
 
 			externaldataResponse, statusCode, err := d.sendRequestToProvider(bctx.Context, &provider, providerRequestKeys, clientCert)
 			if err != nil {
-				return externaldata.HandleError(statusCode, err)
+				return nil, err
 			}
 
 			// update provider response cache if it is enabled
diff --git a/constraint/pkg/client/drivers/rego/driver_unit_test.go b/constraint/pkg/client/drivers/rego/driver_unit_test.go
index f36e2cf3d..cacecb050 100644
--- a/constraint/pkg/client/drivers/rego/driver_unit_test.go
+++ b/constraint/pkg/client/drivers/rego/driver_unit_test.go
@@ -864,13 +864,16 @@ func TestDriver_ExternalData(t *testing.T) {
 						[]*unstructured.Unstructured{cts.MakeConstraint(t, "Fakes", "foo-1")},
 						map[string]interface{}{"hi": "there"},
 					)
-					if err != nil {
-						t.Fatalf("got Query() error = %v, want %v", err, nil)
+					if tt.errorExpected {
+						if err == nil {
+							t.Fatalf("got Query() error = nil, want non-nil")
+						}
+						return
 					}
-					if tt.errorExpected && len(qr.Results) == 0 {
-						t.Fatalf("got 0 errors on normal query; want 1")
+					if err != nil {
+						t.Fatalf("got Query() error = %v, want nil", err)
 					}
-					if !tt.errorExpected && len(qr.Results) > 0 {
+					if len(qr.Results) > 0 {
 						t.Fatalf("got %d errors on normal query; want 0", len(qr.Results))
 					}
 				})