Draft: Add new control server subsystem to store ZTA data on disk

[RebeccaMahany]

We want to use the control server subsystem zta_info to accept a signed JWT or PASETO. The subsystem should validate this data, then write it to disk as a .zta file (file location and permissions TBD).

We may want the file location to be dictated by the control server. If so, the subsystem should have an allowlist for permitted locations.

Notes on implementation:

• The store and subsystem was added in this PR Receive ZTA info via control server and make it available via localserver #2096, using the existing ConfigConsumer. As we get more requirements, we may need to use a custom consumer instead to process the data. We have a few available patterns for how to process data from this subsystem:
  • We could continue to use the ConfigConsumer as our consumer for this new subsystem. We would then add a new subscriber that, on call to Ping, validates the data in the data store and writes it to disk. The drawback to this approach is that we can't validate the signed JWT or PASETO before writing it to the data store.
  • We could instead add one consumer that, on Update, validates the data, writes it to disk, and stores it in the data store. The drawback to this approach is that we are re-implementing parts of the ConfigConsumer.
• If we use a JWT, there are a couple places in the codebase you can look at for parsing/validating: kolide_jwt table, enroll-secret checkup.