feat: allow talosctl wipe disk command

Impersonate the `os:admin` role in the Talos gRPC proxy to make the
request work both in maintenance and normal modes.

Fixes: #1143

Signed-off-by: Artem Chernyshev <[email protected]>

Author: Unix4ever

internal/backend/grpc/router/talos_backend.go

@@ -12,6 +12,7 @@ import (
 	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-api-signature/pkg/message"
 	"github.com/siderolabs/talos/pkg/machinery/api/machine"
+	"github.com/siderolabs/talos/pkg/machinery/api/storage"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	talosrole "github.com/siderolabs/talos/pkg/machinery/role"
 	"google.golang.org/grpc"
@@ -41,6 +42,11 @@ var operatorMethodSet = xslices.ToSet([]string{
 	grpcutil.MustFullMethodName(&machine.MachineService_ServiceDesc, "Shutdown"),
 })
 
+// adminMethodSet is the set of methods that are allowed to be called by the minimum role of os:admin.
+var adminMethodSet = xslices.ToSet([]string{
+	grpcutil.MustFullMethodName(&storage.StorageService_ServiceDesc, "BlockDeviceWipe"),
+})
+
 // TalosBackend implements a backend (proxying one2one to a Talos node).
 type TalosBackend struct {
 	conn         *grpc.ClientConn
@@ -157,6 +163,13 @@ func (backend *TalosBackend) setRoleHeaders(ctx context.Context, md metadata.MD,
 
 	minTalosVersion := backend.minTalosVersion(info)
 
+	// methods that should have admin access
+	if _, ok := adminMethodSet[fullMethodName]; ok {
+		setHeaderData(ctx, md, constants.APIAuthzRoleMetadataKey, talosrole.MakeSet(talosrole.Admin).Strings()...)
+
+		return
+	}
+
 	// min Talos version is >= 1.4.0, we can use Operator role
 	if minTalosVersion != nil && minTalosVersion.GTE(semver.MustParse("1.4.0")) {
 		setHeaderData(ctx, md, constants.APIAuthzRoleMetadataKey, talosrole.MakeSet(talosrole.Operator).Strings()...)