Signed-off-by: Emelie <em@nao.sh>

During login, if there are multiple IdPs enabled, offer the user a choice of
IdPs.

Removes the trailing slash with causes issues with matrix.to/Element.

Adds the redacts endpoint to workers that have the client listener.

This makes the CAS handler look more like the SAML/OIDC handlers:

* Render errors to users instead of throwing JSON errors.
* Internal reorganization.

Adds a new setting `email.invite_client_location` which, if defined, is
passed to the identity server during invites.

This adds an admin API that allows a server admin to get power in a room if a local user has power in a room. Will also invite the user if they're not in the room and its a private room. Can specify another user (rather than the admin user) to be granted power.

Co-authored-by: Matthew Hodgson <matthew@matrix.org>

The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow
`UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser
back to the client, we redirect to a username-picker resource, which allows the user to enter a username.
We *then* complete the SSO flow (including doing the client permission checks).

The static resources for the username picker itself (in 
https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker)
are essentially lifted wholesale from
https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. 
As the comment says, we might want to think about making them customisable, but that can be a follow-up. 

Fixes #8876.

Move it from the federation section to the server section to match
ip_range_blacklist.

Spam checker modules can now provide async methods. This is implemented
in a backwards-compatible manner.

Deprecate both APIs in favour of the Delete Room API.

Related: #8663 and #8810

This defaults `ip_range_blacklist` to reserved IP ranges and also adds an
`ip_range_whitelist` setting to override it.

Related: #8810
Also a few small improvements.

Signed-off-by: Dirk Klimpel <dirk@klimpel.org>

Authentication is done by checking a shared secret provided
in the Synapse configuration file.

This was broken in #8801.

the constructor is called with a `module_api`.

Replaces the `federation_ip_range_blacklist` configuration setting with an
`ip_range_blacklist` setting with wider scope. It now applies to:

* Federation
* Identity servers
* Push notifications
* Checking key validitity for third-party invite events

The old `federation_ip_range_blacklist` setting is still honored if present, but
with reduced scope (it only applies to federation and identity servers).

A word got removed accidentally in 83434df3.

Add a config option to change whether unread push notification counts are per-message or per-room (#8820)

This PR adds a new config option to the `push` section of the homeserver config, `group_unread_count_by_room`. By default Synapse will group push notifications by room (so if you have 1000 unread messages, if they lie in 55 rooms, you'll see an unread count on your phone of 55).

However, it is also useful to be able to send out the true count of unread messages if desired. If `group_unread_count_by_room` is set to `false`, then with the above example, one would see an unread count of 1000 (email anyone?).

These are now only available via `/_synapse/admin/v1`.

This PR updates the push config's formatting to better align with our [code style guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format).

Abstracts the SAML and OpenID Connect code which attempts to regenerate
the localpart of a matrix ID if it is already in use.

Clarify that the list media API only shows media from unencrypted events.

Some hopefully-useful notes on setting up a turnserver.

Checks that the localpart returned by mapping providers for SAML and
OIDC are valid before registering new users.

Extends the OIDC tests for existing users and invalid data.

If the SAML metadata includes multiple IdPs it is necessary to
specify which IdP to redirect users to for authentication.

Updates the sample configuration with the pysaml2 configuration for
accepting clock skew/drift between the homeserver and IdP.

Signed-off-by: Chagai Friedlander <chagai95@gmail.com>

Signed-off-by: Adrian Wannenmacher <tfld@tfld.dev>

Related to #8714. `event_reports.rst` was introduced in Synapse 1.21.0.

add some mdui:UIInfo element examples for saml2_config in homeserver.yaml

If SSO login is used (e.g. SAML) in a multi worker setup, it should be mentioned that currently all SAML logins must run on the same worker, see https://github.com/matrix-org/synapse/issues/7530

Also, if you are using different ports (for example 443 and 8448) in a reverse proxy for client and federation, the path `/_matrix/media` on the client and federation port must point to the listener of the `media_repository` worker, otherwise you'll get a 404 on the federation port for the path `/_matrix/media`, if a remote server is trying to get the media object on federation port, see https://github.com/matrix-org/synapse/issues/8695

Add `GET /_synapse/admin/v1/statistics/users/media` to get statisics about local media usage by users.
Related to #6094
It is the first API for statistics.
Goal is to avoid/reduce usage of sql queries like [Wiki analyzing Synapse](https://github.com/matrix-org/synapse/wiki/SQL-for-analyzing-Synapse-PostgreSQL-database-stats

)

Signed-off-by: Dirk Klimpel <dirk@klimpel.org>