You can stub the params hash as
params = ActionController::Parameters.new(your_hash)
This is the class that your URL params are being converted to in your controller, and it gives you the require and permit methods.
I personally extract the functionally out into a new class to handle the authorization policy.