Draft: Add new control server subsystem to store ZTA data on disk

[RebeccaMahany]

We want a new control server subsystem (name of subsystem TBD) that accepts a signed JWT or PASETO. The subsystem should validate this data, then write it to disk as a .zta file (file location and permissions TBD).

We may want the file location to be dictated by the control server. If so, the subsystem should have an allowlist for permitted locations.

The subsystem should also write its data to the launcher database, in a new data store.

Notes on implementation:

• Look here and here for adding a new store.
• We have a few available patterns for how to process data from this subsystem:
  • We could use the keyvalueconsumer as our consumer for this new subsystem. This consumer will automatically write the provided data to the given data store. We would then add a new subscriber that, on call to Ping, validates the data in the data store and writes it to disk. The drawback to this approach is that we can't validate the signed JWT or PASETO before writing it to the data store.
  • We could instead add one consumer that, on Update, validates the data, writes it to disk, and stores it in the data store. The drawback to this approach is that we are re-implementing parts of the keyvalueconsumer.
• If we use a JWT, there are a couple places in the codebase you can look at for parsing/validating: kolide_jwt table, enroll-secret checkup.