From 52dcf3469009ac5e96920593e8b3e7bef5fa7f81 Mon Sep 17 00:00:00 2001
From: Chris Broadfoot <cbro@golang.org>
Date: Tue, 15 Sep 2015 17:49:47 -0700
Subject: [PATCH] google: Re-enable AppEngineTokenSource to be used from
 Managed VMs.

Fixes #152.

Change-Id: I757c011d3ac5dca8f80fb2119eda3adf8c178ca6
Reviewed-on: https://go-review.googlesource.com/14622
Reviewed-by: Andrew Gerrand <adg@golang.org>
---
 google/appengine.go        |  3 +++
 google/appenginevm_hook.go | 14 ++++++++++++++
 google/default.go          |  5 +++--
 3 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 google/appenginevm_hook.go

diff --git a/google/appengine.go b/google/appengine.go
index 65dc347..8554221 100644
--- a/google/appengine.go
+++ b/google/appengine.go
@@ -14,6 +14,9 @@ import (
 	"golang.org/x/oauth2"
 )
 
+// Set at init time by appenginevm_hook.go. If true, we are on App Engine Managed VMs.
+var appengineVM bool
+
 // Set at init time by appengine_hook.go. If nil, we're not on App Engine.
 var appengineTokenFunc func(c context.Context, scopes ...string) (token string, expiry time.Time, err error)
 
diff --git a/google/appenginevm_hook.go b/google/appenginevm_hook.go
new file mode 100644
index 0000000..633611c
--- /dev/null
+++ b/google/appenginevm_hook.go
@@ -0,0 +1,14 @@
+// Copyright 2015 The oauth2 Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build appenginevm
+
+package google
+
+import "google.golang.org/appengine"
+
+func init() {
+	appengineVM = true
+	appengineTokenFunc = appengine.AccessToken
+}
diff --git a/google/default.go b/google/default.go
index 78f8089..66daeef 100644
--- a/google/default.go
+++ b/google/default.go
@@ -50,7 +50,8 @@ func DefaultClient(ctx context.Context, scope ...string) (*http.Client, error) {
 //      On Windows, this is %APPDATA%/gcloud/application_default_credentials.json.
 //      On other systems, $HOME/.config/gcloud/application_default_credentials.json.
 //   3. On Google App Engine it uses the appengine.AccessToken function.
-//   4. On Google Compute Engine, it fetches credentials from the metadata server.
+//   4. On Google Compute Engine and Google App Engine Managed VMs, it fetches
+//      credentials from the metadata server.
 //      (In this final case any provided scopes are ignored.)
 //
 // For more details, see:
@@ -84,7 +85,7 @@ func DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSourc
 	}
 
 	// Third, if we're on Google App Engine use those credentials.
-	if appengineTokenFunc != nil {
+	if appengineTokenFunc != nil && !appengineVM {
 		return AppEngineTokenSource(ctx, scope...), nil
 	}