open-policy-agent · sozercan · Apr 9, 2026 · Copilot · Apr 9, 2026 · Copilot
diff --git a/constraint/pkg/client/drivers/rego/builtin.go b/constraint/pkg/client/drivers/rego/builtin.go
@@ -1,7 +1,6 @@
 package rego
 
 import (
-	"net/http"
 	"time"
 
 	"github.com/open-policy-agent/opa/v1/ast"
@@ -64,17 +63,17 @@ func externalDataBuiltin(d *Driver) func(bctx rego.BuiltinContext, regorequest *
 		if len(providerRequestKeys) > 0 {
 			provider, err := d.providerCache.Get(regoReq.ProviderName)
 			if err != nil {
-				return externaldata.HandleError(http.StatusBadRequest, err)
+				return nil, err
 			}
 
 			clientCert, err := d.getTLSCertificate()
 			if err != nil {
-				return externaldata.HandleError(http.StatusBadRequest, err)
+				return nil, err
 			}
 
 			externaldataResponse, statusCode, err := d.sendRequestToProvider(bctx.Context, &provider, providerRequestKeys, clientCert)
 			if err != nil {
-				return externaldata.HandleError(statusCode, err)
+				return nil, err
 			}
 
 			// update provider response cache if it is enabled

diff --git a/constraint/pkg/client/drivers/rego/driver_unit_test.go b/constraint/pkg/client/drivers/rego/driver_unit_test.go
@@ -864,13 +864,16 @@ func TestDriver_ExternalData(t *testing.T) {
 						[]*unstructured.Unstructured{cts.MakeConstraint(t, "Fakes", "foo-1")},
 						map[string]interface{}{"hi": "there"},
 					)
-					if err != nil {
-						t.Fatalf("got Query() error = %v, want %v", err, nil)
+					if tt.errorExpected {
+						if err == nil {
+							t.Fatalf("got Query() error = nil, want non-nil")
+						}
+						return
 					}
-					if tt.errorExpected && len(qr.Results) == 0 {
-						t.Fatalf("got 0 errors on normal query; want 1")
+					if err != nil {
+						t.Fatalf("got Query() error = %v, want nil", err)
 					}
-					if !tt.errorExpected && len(qr.Results) > 0 {
+					if len(qr.Results) > 0 {
 						t.Fatalf("got %d errors on normal query; want 0", len(qr.Results))
 					}
 				})