Sign CloudFront urls only in case querystring_auth is enabled

[al-muammar]

Summary

At the moment, all URLs are being signed, even if querystring_auth is set to False.
This is needed in a scenario when a user have a mix of private and public content distributed via CloudFront and they don't want to sign public urls.

Test Plan

Updated tests to cover the scenario.

[al-muammar]

@terencehonles, could you take a look at the PR?
@jschneier, I would be happy if we could quickly merge this fix and maybe make a new release?

[terencehonles]

@jihadik I don't personally have a mix of private and public objects that use the same storage object. For my use case I have another storage object that does not have a cloudfront signer configured. For your PR how are you turning off and on the cloudfront signing? Is there a reason you don't just not configure the signer? If you still feel strongly that the signing should be turned on/off by a boolean setting I'm not sure it should be re-using the querystring_auth property.

[al-muammar]

@terencehonles, it's exactly the same logic as it was before: https://github.com/jschneier/django-storages/blob/master/storages/backends/s3boto3.py#L755-L757 So I think it's quite consistent.

[terencehonles]

@jihadik looks like I didn't notice this was already merged when I replied 😅 otherwise I wouldn't have commented on it.