plumbing for org admin members list (#537)

controller/controller.go

@@ -78,6 +78,7 @@ func Run(inCfg *config.Config) error {
 	api.MetadataGetFrontendDetailHandler = newGetFrontendDetailHandler()
 	api.MetadataGetShareDetailHandler = newShareDetailHandler()
 	api.MetadataListMembershipsHandler = newListMembershipsHandler()
+	api.MetadataListOrgMembersHandler = newListOrgMembersHandler()
 	api.MetadataOrgAccountOverviewHandler = newOrgAccountOverviewHandler()
 	api.MetadataOverviewHandler = newOverviewHandler()
 	api.MetadataVersionHandler = metadata.VersionHandlerFunc(versionHandler)

controller/listOrgMembers.go

@@ -0,0 +1,51 @@
+package controller
+
+import (
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/metadata"
+	"github.com/sirupsen/logrus"
+)
+
+type listOrgMembersHandler struct{}
+
+func newListOrgMembersHandler() *listOrgMembersHandler {
+	return &listOrgMembersHandler{}
+}
+
+func (h *listOrgMembersHandler) Handle(params metadata.ListOrgMembersParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	trx, err := str.Begin()
+	if err != nil {
+		logrus.Errorf("error starting transaction: %v", err)
+		return metadata.NewListOrgMembersInternalServerError()
+	}
+	defer func() { _ = trx.Rollback() }()
+
+	org, err := str.FindOrganizationByToken(params.OrganizationToken, trx)
+	if err != nil {
+		logrus.Errorf("error finding organization by token: %v", err)
+		return metadata.NewListOrgMembersNotFound()
+	}
+
+	admin, err := str.IsAccountAdminOfOrganization(int(principal.ID), org.Id, trx)
+	if err != nil {
+		logrus.Errorf("error checking account '%v' admin: %v", principal.Email, err)
+		return metadata.NewListOrgMembersNotFound()
+	}
+	if !admin {
+		logrus.Errorf("requesting account '%v' is not admin of organization '%v'", principal.Email, org.Token)
+		return metadata.NewOrgAccountOverviewNotFound()
+	}
+
+	members, err := str.FindAccountsForOrganization(org.Id, trx)
+	if err != nil {
+		logrus.Errorf("error finding accounts for organization '%v': %v", org.Token, err)
+		return metadata.NewListOrgMembersInternalServerError()
+	}
+
+	var out []*metadata.ListOrgMembersOKBodyMembersItems0
+	for _, member := range members {
+		out = append(out, &metadata.ListOrgMembersOKBodyMembersItems0{Email: member.Email, Admin: member.Admin})
+	}
+	return metadata.NewListOrgMembersOK().WithPayload(&metadata.ListOrgMembersOKBody{Members: out})
+}

controller/orgAccountOverview.go

@@ -31,7 +31,7 @@ func (h *orgAccountOverviewHandler) Handle(params metadata.OrgAccountOverviewPar
 
 	admin, err := str.IsAccountAdminOfOrganization(int(principal.ID), org.Id, trx)
 	if err != nil {
-		logrus.Errorf("error checking account admin: %v", err)
+		logrus.Errorf("error checking account '%v' admin: %v", principal.Email, err)
 		return metadata.NewOrgAccountOverviewNotFound()
 	}
 	if !admin {

rest_client_zrok/metadata/list_members_parameters.go

@@ -0,0 +1,148 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewListMembersParams creates a new ListMembersParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewListMembersParams() *ListMembersParams {
+	return &ListMembersParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewListMembersParamsWithTimeout creates a new ListMembersParams object
+// with the ability to set a timeout on a request.
+func NewListMembersParamsWithTimeout(timeout time.Duration) *ListMembersParams {
+	return &ListMembersParams{
+		timeout: timeout,
+	}
+}
+
+// NewListMembersParamsWithContext creates a new ListMembersParams object
+// with the ability to set a context for a request.
+func NewListMembersParamsWithContext(ctx context.Context) *ListMembersParams {
+	return &ListMembersParams{
+		Context: ctx,
+	}
+}
+
+// NewListMembersParamsWithHTTPClient creates a new ListMembersParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewListMembersParamsWithHTTPClient(client *http.Client) *ListMembersParams {
+	return &ListMembersParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+ListMembersParams contains all the parameters to send to the API endpoint
+
+	for the list members operation.
+
+	Typically these are written to a http.Request.
+*/
+type ListMembersParams struct {
+
+	// OrganizationToken.
+	OrganizationToken string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the list members params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListMembersParams) WithDefaults() *ListMembersParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the list members params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListMembersParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the list members params
+func (o *ListMembersParams) WithTimeout(timeout time.Duration) *ListMembersParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the list members params
+func (o *ListMembersParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the list members params
+func (o *ListMembersParams) WithContext(ctx context.Context) *ListMembersParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the list members params
+func (o *ListMembersParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the list members params
+func (o *ListMembersParams) WithHTTPClient(client *http.Client) *ListMembersParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the list members params
+func (o *ListMembersParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithOrganizationToken adds the organizationToken to the list members params
+func (o *ListMembersParams) WithOrganizationToken(organizationToken string) *ListMembersParams {
+	o.SetOrganizationToken(organizationToken)
+	return o
+}
+
+// SetOrganizationToken adds the organizationToken to the list members params
+func (o *ListMembersParams) SetOrganizationToken(organizationToken string) {
+	o.OrganizationToken = organizationToken
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *ListMembersParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param organizationToken
+	if err := r.SetPathParam("organizationToken", o.OrganizationToken); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_client_zrok/metadata/list_members_responses.go

@@ -0,0 +1,377 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strconv"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// ListMembersReader is a Reader for the ListMembers structure.
+type ListMembersReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *ListMembersReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewListMembersOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 404:
+		result := NewListMembersNotFound()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 500:
+		result := NewListMembersInternalServerError()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[GET /members/{organizationToken}] listMembers", response, response.Code())
+	}
+}
+
+// NewListMembersOK creates a ListMembersOK with default headers values
+func NewListMembersOK() *ListMembersOK {
+	return &ListMembersOK{}
+}
+
+/*
+ListMembersOK describes a response with status code 200, with default header values.
+
+ok
+*/
+type ListMembersOK struct {
+	Payload *ListMembersOKBody
+}
+
+// IsSuccess returns true when this list members o k response has a 2xx status code
+func (o *ListMembersOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this list members o k response has a 3xx status code
+func (o *ListMembersOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list members o k response has a 4xx status code
+func (o *ListMembersOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this list members o k response has a 5xx status code
+func (o *ListMembersOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list members o k response a status code equal to that given
+func (o *ListMembersOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the list members o k response
+func (o *ListMembersOK) Code() int {
+	return 200
+}
+
+func (o *ListMembersOK) Error() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listMembersOK  %+v", 200, o.Payload)
+}
+
+func (o *ListMembersOK) String() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listMembersOK  %+v", 200, o.Payload)
+}
+
+func (o *ListMembersOK) GetPayload() *ListMembersOKBody {
+	return o.Payload
+}
+
+func (o *ListMembersOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	o.Payload = new(ListMembersOKBody)
+
+	// response payload
+	if err := consumer.Consume(response.Body(), o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewListMembersNotFound creates a ListMembersNotFound with default headers values
+func NewListMembersNotFound() *ListMembersNotFound {
+	return &ListMembersNotFound{}
+}
+
+/*
+ListMembersNotFound describes a response with status code 404, with default header values.
+
+not found
+*/
+type ListMembersNotFound struct {
+}
+
+// IsSuccess returns true when this list members not found response has a 2xx status code
+func (o *ListMembersNotFound) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this list members not found response has a 3xx status code
+func (o *ListMembersNotFound) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list members not found response has a 4xx status code
+func (o *ListMembersNotFound) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this list members not found response has a 5xx status code
+func (o *ListMembersNotFound) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list members not found response a status code equal to that given
+func (o *ListMembersNotFound) IsCode(code int) bool {
+	return code == 404
+}
+
+// Code gets the status code for the list members not found response
+func (o *ListMembersNotFound) Code() int {
+	return 404
+}
+
+func (o *ListMembersNotFound) Error() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listMembersNotFound ", 404)
+}
+
+func (o *ListMembersNotFound) String() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listMembersNotFound ", 404)
+}
+
+func (o *ListMembersNotFound) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewListMembersInternalServerError creates a ListMembersInternalServerError with default headers values
+func NewListMembersInternalServerError() *ListMembersInternalServerError {
+	return &ListMembersInternalServerError{}
+}
+
+/*
+ListMembersInternalServerError describes a response with status code 500, with default header values.
+
+internal server error
+*/
+type ListMembersInternalServerError struct {
+}
+
+// IsSuccess returns true when this list members internal server error response has a 2xx status code
+func (o *ListMembersInternalServerError) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this list members internal server error response has a 3xx status code
+func (o *ListMembersInternalServerError) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list members internal server error response has a 4xx status code
+func (o *ListMembersInternalServerError) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this list members internal server error response has a 5xx status code
+func (o *ListMembersInternalServerError) IsServerError() bool {
+	return true
+}
+
+// IsCode returns true when this list members internal server error response a status code equal to that given
+func (o *ListMembersInternalServerError) IsCode(code int) bool {
+	return code == 500
+}
+
+// Code gets the status code for the list members internal server error response
+func (o *ListMembersInternalServerError) Code() int {
+	return 500
+}
+
+func (o *ListMembersInternalServerError) Error() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listMembersInternalServerError ", 500)
+}
+
+func (o *ListMembersInternalServerError) String() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listMembersInternalServerError ", 500)
+}
+
+func (o *ListMembersInternalServerError) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+/*
+ListMembersOKBody list members o k body
+swagger:model ListMembersOKBody
+*/
+type ListMembersOKBody struct {
+
+	// members
+	Members []*ListMembersOKBodyMembersItems0 `json:"members"`
+}
+
+// Validate validates this list members o k body
+func (o *ListMembersOKBody) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.validateMembers(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *ListMembersOKBody) validateMembers(formats strfmt.Registry) error {
+	if swag.IsZero(o.Members) { // not required
+		return nil
+	}
+
+	for i := 0; i < len(o.Members); i++ {
+		if swag.IsZero(o.Members[i]) { // not required
+			continue
+		}
+
+		if o.Members[i] != nil {
+			if err := o.Members[i].Validate(formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("listMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("listMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// ContextValidate validate this list members o k body based on the context it is used
+func (o *ListMembersOKBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.contextValidateMembers(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *ListMembersOKBody) contextValidateMembers(ctx context.Context, formats strfmt.Registry) error {
+
+	for i := 0; i < len(o.Members); i++ {
+
+		if o.Members[i] != nil {
+
+			if swag.IsZero(o.Members[i]) { // not required
+				return nil
+			}
+
+			if err := o.Members[i].ContextValidate(ctx, formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("listMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("listMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *ListMembersOKBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *ListMembersOKBody) UnmarshalBinary(b []byte) error {
+	var res ListMembersOKBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}
+
+/*
+ListMembersOKBodyMembersItems0 list members o k body members items0
+swagger:model ListMembersOKBodyMembersItems0
+*/
+type ListMembersOKBodyMembersItems0 struct {
+
+	// admin
+	Admin bool `json:"admin,omitempty"`
+
+	// email
+	Email string `json:"email,omitempty"`
+}
+
+// Validate validates this list members o k body members items0
+func (o *ListMembersOKBodyMembersItems0) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this list members o k body members items0 based on context it is used
+func (o *ListMembersOKBodyMembersItems0) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *ListMembersOKBodyMembersItems0) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *ListMembersOKBodyMembersItems0) UnmarshalBinary(b []byte) error {
+	var res ListMembersOKBodyMembersItems0
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_client_zrok/metadata/list_org_members_parameters.go

@@ -0,0 +1,148 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewListOrgMembersParams creates a new ListOrgMembersParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewListOrgMembersParams() *ListOrgMembersParams {
+	return &ListOrgMembersParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewListOrgMembersParamsWithTimeout creates a new ListOrgMembersParams object
+// with the ability to set a timeout on a request.
+func NewListOrgMembersParamsWithTimeout(timeout time.Duration) *ListOrgMembersParams {
+	return &ListOrgMembersParams{
+		timeout: timeout,
+	}
+}
+
+// NewListOrgMembersParamsWithContext creates a new ListOrgMembersParams object
+// with the ability to set a context for a request.
+func NewListOrgMembersParamsWithContext(ctx context.Context) *ListOrgMembersParams {
+	return &ListOrgMembersParams{
+		Context: ctx,
+	}
+}
+
+// NewListOrgMembersParamsWithHTTPClient creates a new ListOrgMembersParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewListOrgMembersParamsWithHTTPClient(client *http.Client) *ListOrgMembersParams {
+	return &ListOrgMembersParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+ListOrgMembersParams contains all the parameters to send to the API endpoint
+
+	for the list org members operation.
+
+	Typically these are written to a http.Request.
+*/
+type ListOrgMembersParams struct {
+
+	// OrganizationToken.
+	OrganizationToken string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the list org members params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListOrgMembersParams) WithDefaults() *ListOrgMembersParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the list org members params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListOrgMembersParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the list org members params
+func (o *ListOrgMembersParams) WithTimeout(timeout time.Duration) *ListOrgMembersParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the list org members params
+func (o *ListOrgMembersParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the list org members params
+func (o *ListOrgMembersParams) WithContext(ctx context.Context) *ListOrgMembersParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the list org members params
+func (o *ListOrgMembersParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the list org members params
+func (o *ListOrgMembersParams) WithHTTPClient(client *http.Client) *ListOrgMembersParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the list org members params
+func (o *ListOrgMembersParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithOrganizationToken adds the organizationToken to the list org members params
+func (o *ListOrgMembersParams) WithOrganizationToken(organizationToken string) *ListOrgMembersParams {
+	o.SetOrganizationToken(organizationToken)
+	return o
+}
+
+// SetOrganizationToken adds the organizationToken to the list org members params
+func (o *ListOrgMembersParams) SetOrganizationToken(organizationToken string) {
+	o.OrganizationToken = organizationToken
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *ListOrgMembersParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param organizationToken
+	if err := r.SetPathParam("organizationToken", o.OrganizationToken); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}

rest_client_zrok/metadata/list_org_members_responses.go

@@ -0,0 +1,377 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strconv"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// ListOrgMembersReader is a Reader for the ListOrgMembers structure.
+type ListOrgMembersReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *ListOrgMembersReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewListOrgMembersOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 404:
+		result := NewListOrgMembersNotFound()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	case 500:
+		result := NewListOrgMembersInternalServerError()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[GET /members/{organizationToken}] listOrgMembers", response, response.Code())
+	}
+}
+
+// NewListOrgMembersOK creates a ListOrgMembersOK with default headers values
+func NewListOrgMembersOK() *ListOrgMembersOK {
+	return &ListOrgMembersOK{}
+}
+
+/*
+ListOrgMembersOK describes a response with status code 200, with default header values.
+
+ok
+*/
+type ListOrgMembersOK struct {
+	Payload *ListOrgMembersOKBody
+}
+
+// IsSuccess returns true when this list org members o k response has a 2xx status code
+func (o *ListOrgMembersOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this list org members o k response has a 3xx status code
+func (o *ListOrgMembersOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list org members o k response has a 4xx status code
+func (o *ListOrgMembersOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this list org members o k response has a 5xx status code
+func (o *ListOrgMembersOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list org members o k response a status code equal to that given
+func (o *ListOrgMembersOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the list org members o k response
+func (o *ListOrgMembersOK) Code() int {
+	return 200
+}
+
+func (o *ListOrgMembersOK) Error() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listOrgMembersOK  %+v", 200, o.Payload)
+}
+
+func (o *ListOrgMembersOK) String() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listOrgMembersOK  %+v", 200, o.Payload)
+}
+
+func (o *ListOrgMembersOK) GetPayload() *ListOrgMembersOKBody {
+	return o.Payload
+}
+
+func (o *ListOrgMembersOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	o.Payload = new(ListOrgMembersOKBody)
+
+	// response payload
+	if err := consumer.Consume(response.Body(), o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewListOrgMembersNotFound creates a ListOrgMembersNotFound with default headers values
+func NewListOrgMembersNotFound() *ListOrgMembersNotFound {
+	return &ListOrgMembersNotFound{}
+}
+
+/*
+ListOrgMembersNotFound describes a response with status code 404, with default header values.
+
+not found
+*/
+type ListOrgMembersNotFound struct {
+}
+
+// IsSuccess returns true when this list org members not found response has a 2xx status code
+func (o *ListOrgMembersNotFound) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this list org members not found response has a 3xx status code
+func (o *ListOrgMembersNotFound) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list org members not found response has a 4xx status code
+func (o *ListOrgMembersNotFound) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this list org members not found response has a 5xx status code
+func (o *ListOrgMembersNotFound) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list org members not found response a status code equal to that given
+func (o *ListOrgMembersNotFound) IsCode(code int) bool {
+	return code == 404
+}
+
+// Code gets the status code for the list org members not found response
+func (o *ListOrgMembersNotFound) Code() int {
+	return 404
+}
+
+func (o *ListOrgMembersNotFound) Error() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listOrgMembersNotFound ", 404)
+}
+
+func (o *ListOrgMembersNotFound) String() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listOrgMembersNotFound ", 404)
+}
+
+func (o *ListOrgMembersNotFound) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+// NewListOrgMembersInternalServerError creates a ListOrgMembersInternalServerError with default headers values
+func NewListOrgMembersInternalServerError() *ListOrgMembersInternalServerError {
+	return &ListOrgMembersInternalServerError{}
+}
+
+/*
+ListOrgMembersInternalServerError describes a response with status code 500, with default header values.
+
+internal server error
+*/
+type ListOrgMembersInternalServerError struct {
+}
+
+// IsSuccess returns true when this list org members internal server error response has a 2xx status code
+func (o *ListOrgMembersInternalServerError) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this list org members internal server error response has a 3xx status code
+func (o *ListOrgMembersInternalServerError) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list org members internal server error response has a 4xx status code
+func (o *ListOrgMembersInternalServerError) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this list org members internal server error response has a 5xx status code
+func (o *ListOrgMembersInternalServerError) IsServerError() bool {
+	return true
+}
+
+// IsCode returns true when this list org members internal server error response a status code equal to that given
+func (o *ListOrgMembersInternalServerError) IsCode(code int) bool {
+	return code == 500
+}
+
+// Code gets the status code for the list org members internal server error response
+func (o *ListOrgMembersInternalServerError) Code() int {
+	return 500
+}
+
+func (o *ListOrgMembersInternalServerError) Error() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listOrgMembersInternalServerError ", 500)
+}
+
+func (o *ListOrgMembersInternalServerError) String() string {
+	return fmt.Sprintf("[GET /members/{organizationToken}][%d] listOrgMembersInternalServerError ", 500)
+}
+
+func (o *ListOrgMembersInternalServerError) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	return nil
+}
+
+/*
+ListOrgMembersOKBody list org members o k body
+swagger:model ListOrgMembersOKBody
+*/
+type ListOrgMembersOKBody struct {
+
+	// members
+	Members []*ListOrgMembersOKBodyMembersItems0 `json:"members"`
+}
+
+// Validate validates this list org members o k body
+func (o *ListOrgMembersOKBody) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.validateMembers(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *ListOrgMembersOKBody) validateMembers(formats strfmt.Registry) error {
+	if swag.IsZero(o.Members) { // not required
+		return nil
+	}
+
+	for i := 0; i < len(o.Members); i++ {
+		if swag.IsZero(o.Members[i]) { // not required
+			continue
+		}
+
+		if o.Members[i] != nil {
+			if err := o.Members[i].Validate(formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("listOrgMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("listOrgMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// ContextValidate validate this list org members o k body based on the context it is used
+func (o *ListOrgMembersOKBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.contextValidateMembers(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *ListOrgMembersOKBody) contextValidateMembers(ctx context.Context, formats strfmt.Registry) error {
+
+	for i := 0; i < len(o.Members); i++ {
+
+		if o.Members[i] != nil {
+
+			if swag.IsZero(o.Members[i]) { // not required
+				return nil
+			}
+
+			if err := o.Members[i].ContextValidate(ctx, formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("listOrgMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("listOrgMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *ListOrgMembersOKBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *ListOrgMembersOKBody) UnmarshalBinary(b []byte) error {
+	var res ListOrgMembersOKBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}
+
+/*
+ListOrgMembersOKBodyMembersItems0 list org members o k body members items0
+swagger:model ListOrgMembersOKBodyMembersItems0
+*/
+type ListOrgMembersOKBodyMembersItems0 struct {
+
+	// admin
+	Admin bool `json:"admin,omitempty"`
+
+	// email
+	Email string `json:"email,omitempty"`
+}
+
+// Validate validates this list org members o k body members items0
+func (o *ListOrgMembersOKBodyMembersItems0) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this list org members o k body members items0 based on context it is used
+func (o *ListOrgMembersOKBodyMembersItems0) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *ListOrgMembersOKBodyMembersItems0) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *ListOrgMembersOKBodyMembersItems0) UnmarshalBinary(b []byte) error {
+	var res ListOrgMembersOKBodyMembersItems0
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_client_zrok/metadata/metadata_client.go

@@ -48,6 +48,8 @@ type ClientService interface {
 
 	ListMemberships(params *ListMembershipsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListMembershipsOK, error)
 
+	ListOrgMembers(params *ListOrgMembersParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListOrgMembersOK, error)
+
 	OrgAccountOverview(params *OrgAccountOverviewParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*OrgAccountOverviewOK, error)
 
 	Overview(params *OverviewParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*OverviewOK, error)
@@ -407,6 +409,45 @@ func (a *Client) ListMemberships(params *ListMembershipsParams, authInfo runtime
 	panic(msg)
 }
 
+/*
+ListOrgMembers list org members API
+*/
+func (a *Client) ListOrgMembers(params *ListOrgMembersParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListOrgMembersOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewListOrgMembersParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "listOrgMembers",
+		Method:             "GET",
+		PathPattern:        "/members/{organizationToken}",
+		ProducesMediaTypes: []string{"application/zrok.v1+json"},
+		ConsumesMediaTypes: []string{"application/zrok.v1+json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &ListOrgMembersReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*ListOrgMembersOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for listOrgMembers: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
 /*
 OrgAccountOverview org account overview API
 */

rest_server_zrok/embedded_spec.go

@@ -711,6 +711,55 @@ func init() {
         }
       }
     },
+    "/members/{organizationToken}": {
+      "get": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "metadata"
+        ],
+        "operationId": "listOrgMembers",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "organizationToken",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok",
+            "schema": {
+              "properties": {
+                "members": {
+                  "type": "array",
+                  "items": {
+                    "properties": {
+                      "admin": {
+                        "type": "boolean"
+                      },
+                      "email": {
+                        "type": "string"
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "not found"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      }
+    },
     "/memberships": {
       "get": {
         "security": [
@@ -2912,6 +2961,48 @@ func init() {
         }
       }
     },
+    "/members/{organizationToken}": {
+      "get": {
+        "security": [
+          {
+            "key": []
+          }
+        ],
+        "tags": [
+          "metadata"
+        ],
+        "operationId": "listOrgMembers",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "organizationToken",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ok",
+            "schema": {
+              "properties": {
+                "members": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/definitions/MembersItems0"
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "not found"
+          },
+          "500": {
+            "description": "internal server error"
+          }
+        }
+      }
+    },
     "/memberships": {
       "get": {
         "security": [

rest_server_zrok/operations/metadata/list_members.go

@@ -0,0 +1,222 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"context"
+	"net/http"
+	"strconv"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// ListMembersHandlerFunc turns a function with the right signature into a list members handler
+type ListMembersHandlerFunc func(ListMembersParams, *rest_model_zrok.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn ListMembersHandlerFunc) Handle(params ListMembersParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// ListMembersHandler interface for that can handle valid list members params
+type ListMembersHandler interface {
+	Handle(ListMembersParams, *rest_model_zrok.Principal) middleware.Responder
+}
+
+// NewListMembers creates a new http.Handler for the list members operation
+func NewListMembers(ctx *middleware.Context, handler ListMembersHandler) *ListMembers {
+	return &ListMembers{Context: ctx, Handler: handler}
+}
+
+/*
+	ListMembers swagger:route GET /members/{organizationToken} metadata listMembers
+
+ListMembers list members API
+*/
+type ListMembers struct {
+	Context *middleware.Context
+	Handler ListMembersHandler
+}
+
+func (o *ListMembers) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewListMembersParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
+
+// ListMembersOKBody list members o k body
+//
+// swagger:model ListMembersOKBody
+type ListMembersOKBody struct {
+
+	// members
+	Members []*ListMembersOKBodyMembersItems0 `json:"members"`
+}
+
+// Validate validates this list members o k body
+func (o *ListMembersOKBody) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.validateMembers(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *ListMembersOKBody) validateMembers(formats strfmt.Registry) error {
+	if swag.IsZero(o.Members) { // not required
+		return nil
+	}
+
+	for i := 0; i < len(o.Members); i++ {
+		if swag.IsZero(o.Members[i]) { // not required
+			continue
+		}
+
+		if o.Members[i] != nil {
+			if err := o.Members[i].Validate(formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("listMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("listMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// ContextValidate validate this list members o k body based on the context it is used
+func (o *ListMembersOKBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.contextValidateMembers(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *ListMembersOKBody) contextValidateMembers(ctx context.Context, formats strfmt.Registry) error {
+
+	for i := 0; i < len(o.Members); i++ {
+
+		if o.Members[i] != nil {
+
+			if swag.IsZero(o.Members[i]) { // not required
+				return nil
+			}
+
+			if err := o.Members[i].ContextValidate(ctx, formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("listMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("listMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *ListMembersOKBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *ListMembersOKBody) UnmarshalBinary(b []byte) error {
+	var res ListMembersOKBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}
+
+// ListMembersOKBodyMembersItems0 list members o k body members items0
+//
+// swagger:model ListMembersOKBodyMembersItems0
+type ListMembersOKBodyMembersItems0 struct {
+
+	// admin
+	Admin bool `json:"admin,omitempty"`
+
+	// email
+	Email string `json:"email,omitempty"`
+}
+
+// Validate validates this list members o k body members items0
+func (o *ListMembersOKBodyMembersItems0) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this list members o k body members items0 based on context it is used
+func (o *ListMembersOKBodyMembersItems0) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *ListMembersOKBodyMembersItems0) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *ListMembersOKBodyMembersItems0) UnmarshalBinary(b []byte) error {
+	var res ListMembersOKBodyMembersItems0
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_server_zrok/operations/metadata/list_members_parameters.go

@@ -0,0 +1,71 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewListMembersParams creates a new ListMembersParams object
+//
+// There are no default values defined in the spec.
+func NewListMembersParams() ListMembersParams {
+
+	return ListMembersParams{}
+}
+
+// ListMembersParams contains all the bound params for the list members operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters listMembers
+type ListMembersParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  Required: true
+	  In: path
+	*/
+	OrganizationToken string
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewListMembersParams() beforehand.
+func (o *ListMembersParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	rOrganizationToken, rhkOrganizationToken, _ := route.Params.GetOK("organizationToken")
+	if err := o.bindOrganizationToken(rOrganizationToken, rhkOrganizationToken, route.Formats); err != nil {
+		res = append(res, err)
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+// bindOrganizationToken binds and validates parameter OrganizationToken from path.
+func (o *ListMembersParams) bindOrganizationToken(rawData []string, hasKey bool, formats strfmt.Registry) error {
+	var raw string
+	if len(rawData) > 0 {
+		raw = rawData[len(rawData)-1]
+	}
+
+	// Required: true
+	// Parameter is provided by construction from the route
+	o.OrganizationToken = raw
+
+	return nil
+}

rest_server_zrok/operations/metadata/list_members_responses.go

@@ -0,0 +1,107 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+)
+
+// ListMembersOKCode is the HTTP code returned for type ListMembersOK
+const ListMembersOKCode int = 200
+
+/*
+ListMembersOK ok
+
+swagger:response listMembersOK
+*/
+type ListMembersOK struct {
+
+	/*
+	  In: Body
+	*/
+	Payload *ListMembersOKBody `json:"body,omitempty"`
+}
+
+// NewListMembersOK creates ListMembersOK with default headers values
+func NewListMembersOK() *ListMembersOK {
+
+	return &ListMembersOK{}
+}
+
+// WithPayload adds the payload to the list members o k response
+func (o *ListMembersOK) WithPayload(payload *ListMembersOKBody) *ListMembersOK {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the list members o k response
+func (o *ListMembersOK) SetPayload(payload *ListMembersOKBody) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *ListMembersOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(200)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
+
+// ListMembersNotFoundCode is the HTTP code returned for type ListMembersNotFound
+const ListMembersNotFoundCode int = 404
+
+/*
+ListMembersNotFound not found
+
+swagger:response listMembersNotFound
+*/
+type ListMembersNotFound struct {
+}
+
+// NewListMembersNotFound creates ListMembersNotFound with default headers values
+func NewListMembersNotFound() *ListMembersNotFound {
+
+	return &ListMembersNotFound{}
+}
+
+// WriteResponse to the client
+func (o *ListMembersNotFound) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(404)
+}
+
+// ListMembersInternalServerErrorCode is the HTTP code returned for type ListMembersInternalServerError
+const ListMembersInternalServerErrorCode int = 500
+
+/*
+ListMembersInternalServerError internal server error
+
+swagger:response listMembersInternalServerError
+*/
+type ListMembersInternalServerError struct {
+}
+
+// NewListMembersInternalServerError creates ListMembersInternalServerError with default headers values
+func NewListMembersInternalServerError() *ListMembersInternalServerError {
+
+	return &ListMembersInternalServerError{}
+}
+
+// WriteResponse to the client
+func (o *ListMembersInternalServerError) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(500)
+}

rest_server_zrok/operations/metadata/list_members_urlbuilder.go

@@ -0,0 +1,99 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+	"strings"
+)
+
+// ListMembersURL generates an URL for the list members operation
+type ListMembersURL struct {
+	OrganizationToken string
+
+	_basePath string
+	// avoid unkeyed usage
+	_ struct{}
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *ListMembersURL) WithBasePath(bp string) *ListMembersURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *ListMembersURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *ListMembersURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/members/{organizationToken}"
+
+	organizationToken := o.OrganizationToken
+	if organizationToken != "" {
+		_path = strings.Replace(_path, "{organizationToken}", organizationToken, -1)
+	} else {
+		return nil, errors.New("organizationToken is required on ListMembersURL")
+	}
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *ListMembersURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *ListMembersURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *ListMembersURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on ListMembersURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on ListMembersURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *ListMembersURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}

rest_server_zrok/operations/metadata/list_org_members.go

@@ -0,0 +1,222 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"context"
+	"net/http"
+	"strconv"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	"github.com/openziti/zrok/rest_model_zrok"
+)
+
+// ListOrgMembersHandlerFunc turns a function with the right signature into a list org members handler
+type ListOrgMembersHandlerFunc func(ListOrgMembersParams, *rest_model_zrok.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn ListOrgMembersHandlerFunc) Handle(params ListOrgMembersParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// ListOrgMembersHandler interface for that can handle valid list org members params
+type ListOrgMembersHandler interface {
+	Handle(ListOrgMembersParams, *rest_model_zrok.Principal) middleware.Responder
+}
+
+// NewListOrgMembers creates a new http.Handler for the list org members operation
+func NewListOrgMembers(ctx *middleware.Context, handler ListOrgMembersHandler) *ListOrgMembers {
+	return &ListOrgMembers{Context: ctx, Handler: handler}
+}
+
+/*
+	ListOrgMembers swagger:route GET /members/{organizationToken} metadata listOrgMembers
+
+ListOrgMembers list org members API
+*/
+type ListOrgMembers struct {
+	Context *middleware.Context
+	Handler ListOrgMembersHandler
+}
+
+func (o *ListOrgMembers) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewListOrgMembersParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *rest_model_zrok.Principal
+	if uprinc != nil {
+		principal = uprinc.(*rest_model_zrok.Principal) // this is really a rest_model_zrok.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
+
+// ListOrgMembersOKBody list org members o k body
+//
+// swagger:model ListOrgMembersOKBody
+type ListOrgMembersOKBody struct {
+
+	// members
+	Members []*ListOrgMembersOKBodyMembersItems0 `json:"members"`
+}
+
+// Validate validates this list org members o k body
+func (o *ListOrgMembersOKBody) Validate(formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.validateMembers(formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *ListOrgMembersOKBody) validateMembers(formats strfmt.Registry) error {
+	if swag.IsZero(o.Members) { // not required
+		return nil
+	}
+
+	for i := 0; i < len(o.Members); i++ {
+		if swag.IsZero(o.Members[i]) { // not required
+			continue
+		}
+
+		if o.Members[i] != nil {
+			if err := o.Members[i].Validate(formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("listOrgMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("listOrgMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// ContextValidate validate this list org members o k body based on the context it is used
+func (o *ListOrgMembersOKBody) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	var res []error
+
+	if err := o.contextValidateMembers(ctx, formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+func (o *ListOrgMembersOKBody) contextValidateMembers(ctx context.Context, formats strfmt.Registry) error {
+
+	for i := 0; i < len(o.Members); i++ {
+
+		if o.Members[i] != nil {
+
+			if swag.IsZero(o.Members[i]) { // not required
+				return nil
+			}
+
+			if err := o.Members[i].ContextValidate(ctx, formats); err != nil {
+				if ve, ok := err.(*errors.Validation); ok {
+					return ve.ValidateName("listOrgMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				} else if ce, ok := err.(*errors.CompositeError); ok {
+					return ce.ValidateName("listOrgMembersOK" + "." + "members" + "." + strconv.Itoa(i))
+				}
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *ListOrgMembersOKBody) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *ListOrgMembersOKBody) UnmarshalBinary(b []byte) error {
+	var res ListOrgMembersOKBody
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}
+
+// ListOrgMembersOKBodyMembersItems0 list org members o k body members items0
+//
+// swagger:model ListOrgMembersOKBodyMembersItems0
+type ListOrgMembersOKBodyMembersItems0 struct {
+
+	// admin
+	Admin bool `json:"admin,omitempty"`
+
+	// email
+	Email string `json:"email,omitempty"`
+}
+
+// Validate validates this list org members o k body members items0
+func (o *ListOrgMembersOKBodyMembersItems0) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this list org members o k body members items0 based on context it is used
+func (o *ListOrgMembersOKBodyMembersItems0) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (o *ListOrgMembersOKBodyMembersItems0) MarshalBinary() ([]byte, error) {
+	if o == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(o)
+}
+
+// UnmarshalBinary interface implementation
+func (o *ListOrgMembersOKBodyMembersItems0) UnmarshalBinary(b []byte) error {
+	var res ListOrgMembersOKBodyMembersItems0
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*o = res
+	return nil
+}

rest_server_zrok/operations/metadata/list_org_members_parameters.go

@@ -0,0 +1,71 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewListOrgMembersParams creates a new ListOrgMembersParams object
+//
+// There are no default values defined in the spec.
+func NewListOrgMembersParams() ListOrgMembersParams {
+
+	return ListOrgMembersParams{}
+}
+
+// ListOrgMembersParams contains all the bound params for the list org members operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters listOrgMembers
+type ListOrgMembersParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  Required: true
+	  In: path
+	*/
+	OrganizationToken string
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewListOrgMembersParams() beforehand.
+func (o *ListOrgMembersParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	rOrganizationToken, rhkOrganizationToken, _ := route.Params.GetOK("organizationToken")
+	if err := o.bindOrganizationToken(rOrganizationToken, rhkOrganizationToken, route.Formats); err != nil {
+		res = append(res, err)
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+// bindOrganizationToken binds and validates parameter OrganizationToken from path.
+func (o *ListOrgMembersParams) bindOrganizationToken(rawData []string, hasKey bool, formats strfmt.Registry) error {
+	var raw string
+	if len(rawData) > 0 {
+		raw = rawData[len(rawData)-1]
+	}
+
+	// Required: true
+	// Parameter is provided by construction from the route
+	o.OrganizationToken = raw
+
+	return nil
+}

rest_server_zrok/operations/metadata/list_org_members_responses.go

@@ -0,0 +1,107 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+)
+
+// ListOrgMembersOKCode is the HTTP code returned for type ListOrgMembersOK
+const ListOrgMembersOKCode int = 200
+
+/*
+ListOrgMembersOK ok
+
+swagger:response listOrgMembersOK
+*/
+type ListOrgMembersOK struct {
+
+	/*
+	  In: Body
+	*/
+	Payload *ListOrgMembersOKBody `json:"body,omitempty"`
+}
+
+// NewListOrgMembersOK creates ListOrgMembersOK with default headers values
+func NewListOrgMembersOK() *ListOrgMembersOK {
+
+	return &ListOrgMembersOK{}
+}
+
+// WithPayload adds the payload to the list org members o k response
+func (o *ListOrgMembersOK) WithPayload(payload *ListOrgMembersOKBody) *ListOrgMembersOK {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the list org members o k response
+func (o *ListOrgMembersOK) SetPayload(payload *ListOrgMembersOKBody) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *ListOrgMembersOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(200)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
+
+// ListOrgMembersNotFoundCode is the HTTP code returned for type ListOrgMembersNotFound
+const ListOrgMembersNotFoundCode int = 404
+
+/*
+ListOrgMembersNotFound not found
+
+swagger:response listOrgMembersNotFound
+*/
+type ListOrgMembersNotFound struct {
+}
+
+// NewListOrgMembersNotFound creates ListOrgMembersNotFound with default headers values
+func NewListOrgMembersNotFound() *ListOrgMembersNotFound {
+
+	return &ListOrgMembersNotFound{}
+}
+
+// WriteResponse to the client
+func (o *ListOrgMembersNotFound) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(404)
+}
+
+// ListOrgMembersInternalServerErrorCode is the HTTP code returned for type ListOrgMembersInternalServerError
+const ListOrgMembersInternalServerErrorCode int = 500
+
+/*
+ListOrgMembersInternalServerError internal server error
+
+swagger:response listOrgMembersInternalServerError
+*/
+type ListOrgMembersInternalServerError struct {
+}
+
+// NewListOrgMembersInternalServerError creates ListOrgMembersInternalServerError with default headers values
+func NewListOrgMembersInternalServerError() *ListOrgMembersInternalServerError {
+
+	return &ListOrgMembersInternalServerError{}
+}
+
+// WriteResponse to the client
+func (o *ListOrgMembersInternalServerError) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.Header().Del(runtime.HeaderContentType) //Remove Content-Type on empty responses
+
+	rw.WriteHeader(500)
+}

rest_server_zrok/operations/metadata/list_org_members_urlbuilder.go

@@ -0,0 +1,99 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package metadata
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+	"strings"
+)
+
+// ListOrgMembersURL generates an URL for the list org members operation
+type ListOrgMembersURL struct {
+	OrganizationToken string
+
+	_basePath string
+	// avoid unkeyed usage
+	_ struct{}
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *ListOrgMembersURL) WithBasePath(bp string) *ListOrgMembersURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *ListOrgMembersURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *ListOrgMembersURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/members/{organizationToken}"
+
+	organizationToken := o.OrganizationToken
+	if organizationToken != "" {
+		_path = strings.Replace(_path, "{organizationToken}", organizationToken, -1)
+	} else {
+		return nil, errors.New("organizationToken is required on ListOrgMembersURL")
+	}
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *ListOrgMembersURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *ListOrgMembersURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *ListOrgMembersURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on ListOrgMembersURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on ListOrgMembersURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *ListOrgMembersURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}

rest_server_zrok/operations/zrok_api.go

@@ -121,6 +121,9 @@ func NewZrokAPI(spec *loads.Document) *ZrokAPI {
 		MetadataListMembershipsHandler: metadata.ListMembershipsHandlerFunc(func(params metadata.ListMembershipsParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation metadata.ListMemberships has not yet been implemented")
 		}),
+		MetadataListOrgMembersHandler: metadata.ListOrgMembersHandlerFunc(func(params metadata.ListOrgMembersParams, principal *rest_model_zrok.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation metadata.ListOrgMembers has not yet been implemented")
+		}),
 		AdminListOrganizationMembersHandler: admin.ListOrganizationMembersHandlerFunc(func(params admin.ListOrganizationMembersParams, principal *rest_model_zrok.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin.ListOrganizationMembers has not yet been implemented")
 		}),
@@ -270,6 +273,8 @@ type ZrokAPI struct {
 	AdminListFrontendsHandler admin.ListFrontendsHandler
 	// MetadataListMembershipsHandler sets the operation handler for the list memberships operation
 	MetadataListMembershipsHandler metadata.ListMembershipsHandler
+	// MetadataListOrgMembersHandler sets the operation handler for the list org members operation
+	MetadataListOrgMembersHandler metadata.ListOrgMembersHandler
 	// AdminListOrganizationMembersHandler sets the operation handler for the list organization members operation
 	AdminListOrganizationMembersHandler admin.ListOrganizationMembersHandler
 	// AdminListOrganizationsHandler sets the operation handler for the list organizations operation
@@ -457,6 +462,9 @@ func (o *ZrokAPI) Validate() error {
 	if o.MetadataListMembershipsHandler == nil {
 		unregistered = append(unregistered, "metadata.ListMembershipsHandler")
 	}
+	if o.MetadataListOrgMembersHandler == nil {
+		unregistered = append(unregistered, "metadata.ListOrgMembersHandler")
+	}
 	if o.AdminListOrganizationMembersHandler == nil {
 		unregistered = append(unregistered, "admin.ListOrganizationMembersHandler")
 	}
@@ -703,6 +711,10 @@ func (o *ZrokAPI) initHandlerCache() {
 		o.handlers["GET"] = make(map[string]http.Handler)
 	}
 	o.handlers["GET"]["/memberships"] = metadata.NewListMemberships(o.context, o.MetadataListMembershipsHandler)
+	if o.handlers["GET"] == nil {
+		o.handlers["GET"] = make(map[string]http.Handler)
+	}
+	o.handlers["GET"]["/members/{organizationToken}"] = metadata.NewListOrgMembers(o.context, o.MetadataListOrgMembersHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
 	}

sdk/nodejs/sdk/src/zrok/api/api/metadataApi.ts

@@ -20,6 +20,7 @@ import { Environment } from '../model/environment';
 import { EnvironmentAndResources } from '../model/environmentAndResources';
 import { Frontend } from '../model/frontend';
 import { ListMemberships200Response } from '../model/listMemberships200Response';
+import { ListOrganizationMembers200Response } from '../model/listOrganizationMembers200Response';
 import { Metrics } from '../model/metrics';
 import { Overview } from '../model/overview';
 import { Share } from '../model/share';
@@ -719,6 +720,77 @@ export class MetadataApi {
             });
         });
     }
+    /**
+     * 
+     * @param organizationToken 
+     */
+    public async listOrgMembers (organizationToken: string, options: {headers: {[name: string]: string}} = {headers: {}}) : Promise<{ response: http.IncomingMessage; body: ListOrganizationMembers200Response;  }> {
+        const localVarPath = this.basePath + '/members/{organizationToken}'
+            .replace('{' + 'organizationToken' + '}', encodeURIComponent(String(organizationToken)));
+        let localVarQueryParameters: any = {};
+        let localVarHeaderParams: any = (<any>Object).assign({}, this._defaultHeaders);
+        const produces = ['application/zrok.v1+json'];
+        // give precedence to 'application/json'
+        if (produces.indexOf('application/json') >= 0) {
+            localVarHeaderParams.Accept = 'application/json';
+        } else {
+            localVarHeaderParams.Accept = produces.join(',');
+        }
+        let localVarFormParams: any = {};
+
+        // verify required parameter 'organizationToken' is not null or undefined
+        if (organizationToken === null || organizationToken === undefined) {
+            throw new Error('Required parameter organizationToken was null or undefined when calling listOrgMembers.');
+        }
+
+        (<any>Object).assign(localVarHeaderParams, options.headers);
+
+        let localVarUseFormData = false;
+
+        let localVarRequestOptions: localVarRequest.Options = {
+            method: 'GET',
+            qs: localVarQueryParameters,
+            headers: localVarHeaderParams,
+            uri: localVarPath,
+            useQuerystring: this._useQuerystring,
+            json: true,
+        };
+
+        let authenticationPromise = Promise.resolve();
+        if (this.authentications.key.apiKey) {
+            authenticationPromise = authenticationPromise.then(() => this.authentications.key.applyToRequest(localVarRequestOptions));
+        }
+        authenticationPromise = authenticationPromise.then(() => this.authentications.default.applyToRequest(localVarRequestOptions));
+
+        let interceptorPromise = authenticationPromise;
+        for (const interceptor of this.interceptors) {
+            interceptorPromise = interceptorPromise.then(() => interceptor(localVarRequestOptions));
+        }
+
+        return interceptorPromise.then(() => {
+            if (Object.keys(localVarFormParams).length) {
+                if (localVarUseFormData) {
+                    (<any>localVarRequestOptions).formData = localVarFormParams;
+                } else {
+                    localVarRequestOptions.form = localVarFormParams;
+                }
+            }
+            return new Promise<{ response: http.IncomingMessage; body: ListOrganizationMembers200Response;  }>((resolve, reject) => {
+                localVarRequest(localVarRequestOptions, (error, response, body) => {
+                    if (error) {
+                        reject(error);
+                    } else {
+                        if (response.statusCode && response.statusCode >= 200 && response.statusCode <= 299) {
+                            body = ObjectSerializer.deserialize(body, "ListOrganizationMembers200Response");
+                            resolve({ response: response, body: body });
+                        } else {
+                            reject(new HttpError(response, body, response.statusCode));
+                        }
+                    }
+                });
+            });
+        });
+    }
     /**
      * 
      * @param organizationToken 

sdk/python/sdk/zrok/zrok_api/api/metadata_api.py

@@ -849,6 +849,99 @@ class MetadataApi(object):
             _request_timeout=params.get('_request_timeout'),
             collection_formats=collection_formats)
 
+    def list_org_members(self, organization_token, **kwargs):  # noqa: E501
+        """list_org_members  # noqa: E501
+
+        This method makes a synchronous HTTP request by default. To make an
+        asynchronous HTTP request, please pass async_req=True
+        >>> thread = api.list_org_members(organization_token, async_req=True)
+        >>> result = thread.get()
+
+        :param async_req bool
+        :param str organization_token: (required)
+        :return: InlineResponse2001
+                 If the method is called asynchronously,
+                 returns the request thread.
+        """
+        kwargs['_return_http_data_only'] = True
+        if kwargs.get('async_req'):
+            return self.list_org_members_with_http_info(organization_token, **kwargs)  # noqa: E501
+        else:
+            (data) = self.list_org_members_with_http_info(organization_token, **kwargs)  # noqa: E501
+            return data
+
+    def list_org_members_with_http_info(self, organization_token, **kwargs):  # noqa: E501
+        """list_org_members  # noqa: E501
+
+        This method makes a synchronous HTTP request by default. To make an
+        asynchronous HTTP request, please pass async_req=True
+        >>> thread = api.list_org_members_with_http_info(organization_token, async_req=True)
+        >>> result = thread.get()
+
+        :param async_req bool
+        :param str organization_token: (required)
+        :return: InlineResponse2001
+                 If the method is called asynchronously,
+                 returns the request thread.
+        """
+
+        all_params = ['organization_token']  # noqa: E501
+        all_params.append('async_req')
+        all_params.append('_return_http_data_only')
+        all_params.append('_preload_content')
+        all_params.append('_request_timeout')
+
+        params = locals()
+        for key, val in six.iteritems(params['kwargs']):
+            if key not in all_params:
+                raise TypeError(
+                    "Got an unexpected keyword argument '%s'"
+                    " to method list_org_members" % key
+                )
+            params[key] = val
+        del params['kwargs']
+        # verify the required parameter 'organization_token' is set
+        if ('organization_token' not in params or
+                params['organization_token'] is None):
+            raise ValueError("Missing the required parameter `organization_token` when calling `list_org_members`")  # noqa: E501
+
+        collection_formats = {}
+
+        path_params = {}
+        if 'organization_token' in params:
+            path_params['organizationToken'] = params['organization_token']  # noqa: E501
+
+        query_params = []
+
+        header_params = {}
+
+        form_params = []
+        local_var_files = {}
+
+        body_params = None
+        # HTTP header `Accept`
+        header_params['Accept'] = self.api_client.select_header_accept(
+            ['application/zrok.v1+json'])  # noqa: E501
+
+        # Authentication setting
+        auth_settings = ['key']  # noqa: E501
+
+        return self.api_client.call_api(
+            '/members/{organizationToken}', 'GET',
+            path_params,
+            query_params,
+            header_params,
+            body=body_params,
+            post_params=form_params,
+            files=local_var_files,
+            response_type='InlineResponse2001',  # noqa: E501
+            auth_settings=auth_settings,
+            async_req=params.get('async_req'),
+            _return_http_data_only=params.get('_return_http_data_only'),
+            _preload_content=params.get('_preload_content', True),
+            _request_timeout=params.get('_request_timeout'),
+            collection_formats=collection_formats)
+
     def org_account_overview(self, organization_token, account_email, **kwargs):  # noqa: E501
         """org_account_overview  # noqa: E501
 

specs/zrok.yml

@@ -691,6 +691,36 @@ paths:
         500:
           description: internal server error
 
+  /members/{organizationToken}:
+    get:
+      tags:
+        - metadata
+      security:
+        - key: []
+      operationId: listOrgMembers
+      parameters:
+          - name: organizationToken
+            in: path
+            type: string
+            required: true
+      responses:
+        200:
+          description: ok
+          schema:
+            properties:
+              members:
+                type: array
+                items:
+                  properties:
+                    email:
+                      type: string
+                    admin:
+                      type: boolean
+        404:
+          description: not found
+        500:
+          description: internal server error
+
   /memberships:
     get:
       tags:

ui/src/api/metadata.js

@@ -53,6 +53,19 @@ export function getShareDetail(shrToken) {
   return gateway.request(getShareDetailOperation, parameters)
 }
 
+/**
+ * @param {string} organizationToken 
+ * @return {Promise<object>} ok
+ */
+export function listOrgMembers(organizationToken) {
+  const parameters = {
+    path: {
+      organizationToken
+    }
+  }
+  return gateway.request(listOrgMembersOperation, parameters)
+}
+
 /**
  */
 export function listMemberships() {
@@ -184,6 +197,16 @@ const getShareDetailOperation = {
   ]
 }
 
+const listOrgMembersOperation = {
+  path: '/members/{organizationToken}',
+  method: 'get',
+  security: [
+    {
+      id: 'key'
+    }
+  ]
+}
+
 const listMembershipsOperation = {
   path: '/memberships',
   method: 'get',