2755: add support for signed locators in the Python SDK.

2755: add support for signed locators in the Python SDK.

* arvados.Keep.put() saves the response body (which may contain a
  signed locator) and returns it to the caller.

* arvados.Keep.get() passes the full signed locator to the remote Keep
  server. The bare MD5 hash is still used for caching and for
  shuffled_service_roots

* run_test_server.run_keep() takes arguments 'blob_signing_key' and
  'enforce_permissions', for testing permission signatures in unit
  tests.

* test_keep_client: new unit tests for permissions:
    - with --enforce-permissions=true:
        - GET with a signed locator works
        - GET with an unsigned locator fails
        - unauthenticated GET fails
    - with --enforce-permissions=false:
        - GET with a signed locator works
	- GET with an unsigned locator works
	- unauthenticated GET works

Bug fixes to permission handling in the Keep server:

* Locator hints may appear in any order; be flexible. Parse them in
  GetBlockHandler rather than in the REST router.

* Returned locators are terminated with newline (consistent with
  Warehouse, and more friendly for human debugging).

* The locator returned from a PUT request always has a size hint.

* The correct Authorization header keyword is "OAuth2", not
  "OAuth". D'oh.

* Updated unit tests to accommodate newlines, size hints and OAuth2.

Refs #2755.