tsibley · September 19, 2024 21:07
diff --git a/heroku-redis-cli b/heroku-redis-cli
 #!/bin/bash
 set -euo pipefail

 app_db="${1:?usage: $(basename "$0") <app-name>[/<database-name>]}"
 shift

 app="${app_db%%/*}"
 db="${app_db#*/}"

 url="$(heroku redis:credentials -a "$app" "$db")"
 pass="$(<<<"$url" grep -m1 -oP '[^:]+(?=@)')"
 host="$(<<<"$url" cut -d@ -f2 | cut -d: -f1)"
 port="$(<<<"$url" cut -d@ -f2 | cut -d: -f2)"

 # Heroku Redis' TLS socket is documented to be on the next port up from the non-TLS port.
 if [[ "$url" == redis:* ]]; then
    port=$((port+1))
 fi

 export REDISCLI_AUTH="$pass"

 # Heroku's Redis uses self-signed certs instead of specific CA (even a self-CA)
 # we can trust.  Ugh.  This means active snooping is still possible with MITM,
 # but at least passing snooping is blocked.
 exec redis.cli --tls -h "$host" -p "$port" --insecure "$@"
	#!/bin/bash
	set -euo pipefail

	app_db="${1:?usage: $(basename "$0") <app-name>[/<database-name>]}"
	shift

	app="${app_db%%/*}"
	db="${app_db#*/}"

	url="$(heroku redis:credentials -a "$app" "$db")"
	pass="$(<<<"$url" grep -m1 -oP '[^:]+(?=@)')"
	host="$(<<<"$url" cut -d@ -f2 \| cut -d: -f1)"
	port="$(<<<"$url" cut -d@ -f2 \| cut -d: -f2)"

	# Heroku Redis' TLS socket is documented to be on the next port up from the non-TLS port.
	if [[ "$url" == redis:* ]]; then
	port=$((port+1))
	fi

	export REDISCLI_AUTH="$pass"

	# Heroku's Redis uses self-signed certs instead of specific CA (even a self-CA)
	# we can trust. Ugh. This means active snooping is still possible with MITM,
	# but at least passing snooping is blocked.
	exec redis.cli --tls -h "$host" -p "$port" --insecure "$@"